Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
0442.pdf.exe

Overview

General Information

Sample name:0442.pdf.exe
renamed because original name is a hash value
Original sample name: .pdf.exe
Analysis ID:1580649
MD5:4f6b2b9ee57c50d6c505d0cdada4803e
SHA1:ad7dee6f1f71c4fe6299170a160592f139390e12
SHA256:62410e8399acf7834c74012783bde3fe9ff244e048141c4a96a65bec06895f37
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension File Execution
Connects to many ports of the same IP (likely port scanning)
Enables network access during safeboot for specific services
Enables remote desktop connection
Initial sample is a PE file and has a suspicious name
Uses an obfuscated file name to hide its real file extension (double extension)
Uses ping.exe to check the status of other devices and networks
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
File is packed with WinRar
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 0442.pdf.exe (PID: 7312 cmdline: "C:\Users\user\Desktop\0442.pdf.exe" MD5: 4F6B2B9EE57C50D6C505D0CDADA4803E)
    • msiexec.exe (PID: 7400 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ms.msi" /qn MD5: E5DA170027542E25EDE42FC54C929077)
    • cmd.exe (PID: 7416 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\start.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 7712 cmdline: ping 8.8.8.8 MD5: 2F46799D79D22AC72C241EC0322B011D)
    • Acrobat.exe (PID: 7436 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\doc.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
      • AcroCEF.exe (PID: 7908 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
        • AcroCEF.exe (PID: 8128 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2108 --field-trial-handle=1720,i,4460427527233058691,5362964774260238234,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
    • Acrobat.exe (PID: 7528 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\doc2.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
  • msiexec.exe (PID: 7480 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • ROMFUSClient.exe (PID: 8276 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /siex /silentinstall MD5: 63D0964168B927D00064AA684E79A300)
      • ROMServer.exe (PID: 8324 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall MD5: F3D74B072B9697CF64B0B8445FDC8128)
    • ROMFUSClient.exe (PID: 8552 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /firewall MD5: 63D0964168B927D00064AA684E79A300)
      • ROMServer.exe (PID: 8600 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall MD5: F3D74B072B9697CF64B0B8445FDC8128)
    • ROMFUSClient.exe (PID: 8640 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /start MD5: 63D0964168B927D00064AA684E79A300)
      • ROMServer.exe (PID: 8732 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start MD5: F3D74B072B9697CF64B0B8445FDC8128)
  • svchost.exe (PID: 7976 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • ROMServer.exe (PID: 8764 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" MD5: F3D74B072B9697CF64B0B8445FDC8128)
    • ROMFUSClient.exe (PID: 8916 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" MD5: 63D0964168B927D00064AA684E79A300)
    • ROMFUSClient.exe (PID: 8928 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray MD5: 63D0964168B927D00064AA684E79A300)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
        C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          0000000B.00000000.1806255889.0000000000401000.00000020.00000001.01000000.0000000B.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
            0000000C.00000000.1812231802.0000000000401000.00000020.00000001.01000000.0000000C.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              12.0.ROMServer.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                11.0.ROMFUSClient.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Suspicious Double Extension File Execution
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\0442.pdf.exe", CommandLine: "C:\Users\user\Desktop\0442.pdf.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\0442.pdf.exe, NewProcessName: C:\Users\user\Desktop\0442.pdf.exe, OriginalFileName: C:\Users\user\Desktop\0442.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\Desktop\0442.pdf.exe", ProcessId: 7312, ProcessName: 0442.pdf.exe
                  Sigma detected: Windows Processes Suspicious Parent Directory
                  Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7976, ProcessName: svchost.exe

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: 0442.pdf.exeVirustotal: Detection: 44%Perma Link
                  Source: 0442.pdf.exeReversingLabs: Detection: 26%
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - Server\EULA.rtfJump to behavior
                  Source: 0442.pdf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                  Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: 0442.pdf.exe
                  Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeFile opened: c:
                  Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF64150B190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF64150B190
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6414F40BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6414F40BC
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF64151FCA0 FindFirstFileExA,0_2_00007FF64151FCA0
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeFile opened: C:\Windows\SysWOW64\wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeFile opened: C:\Windows\SysWOW64\winspool.drv
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\COMCTL32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeFile opened: C:\Windows\SysWOW64\
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeFile opened: C:\Windows\SysWOW64\winmm.dll

                  Networking

                  barindex
                  Connects to many ports of the same IP (likely port scanning)
                  Source: global trafficTCP traffic: 101.99.91.150 ports 5651,8080,1,5,6,80
                  Enables network access during safeboot for specific services
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeRegistry value created: NULL Service
                  Uses ping.exe to check the status of other devices and networks
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 8.8.8.8
                  Source: global trafficTCP traffic: 192.168.2.4:49796 -> 101.99.91.150:5651
                  Source: Joe Sandbox ViewASN Name: SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: unknownTCP traffic detected without corresponding DNS query: 101.99.91.150
                  Source: global trafficDNS traffic detected: DNS query: x1.i.lencr.org
                  Source: 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A408000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A446000.00000004.00000020.00020000.00000000.sdmp, 675fde.msi.5.dr, ms.msi.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                  Source: svchost.exe, 00000009.00000002.3428915948.000001B231800000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                  Source: 77EC63BDA74BD0D0E0426DC8F80085060.8.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                  Source: svchost.exe, 00000009.00000003.1746773700.000001B231A18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                  Source: svchost.exe, 00000009.00000003.1746773700.000001B231A18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
                  Source: svchost.exe, 00000009.00000003.1746773700.000001B231A18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                  Source: svchost.exe, 00000009.00000003.1746773700.000001B231A18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                  Source: svchost.exe, 00000009.00000003.1746773700.000001B231A18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                  Source: svchost.exe, 00000009.00000003.1746773700.000001B231A18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                  Source: svchost.exe, 00000009.00000003.1746773700.000001B231A4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                  Source: svchost.exe, 00000009.00000003.1746773700.000001B231A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                  Source: ROMFUSClient.exe, 0000000B.00000000.1807368103.00000000008E4000.00000002.00000001.01000000.0000000B.sdmp, ROMServer.exe, 0000000C.00000000.1824434137.00000000009FE000.00000002.00000001.01000000.0000000C.sdmp, ROMServer.exe, 00000012.00000002.3580742486.000000000158C000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000015.00000002.3580857023.000000000278C000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000015.00000002.3580857023.000000000288C000.00000004.00001000.00020000.00000000.sdmp, MSI6694.tmp.5.drString found in binary or memory: http://litemanager.com/
                  Source: ROMFUSClient.exe, 00000015.00000002.3580857023.0000000002893000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://litemanager.com/03
                  Source: ROMServer.exe, 00000012.00000002.3580742486.0000000001593000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://litemanager.com/03Y
                  Source: ROMServer.exe, 00000012.00000002.3580742486.000000000158C000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000015.00000002.3580857023.000000000288C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://litemanager.com/1
                  Source: ROMFUSClient.exe, 0000000B.00000000.1807368103.00000000008E4000.00000002.00000001.01000000.0000000B.sdmp, ROMServer.exe, 0000000C.00000000.1824434137.00000000009FE000.00000002.00000001.01000000.0000000C.sdmp, Russian.lg.5.drString found in binary or memory: http://litemanager.ru/
                  Source: ROMServer.exe, 0000000C.00000000.1812231802.0000000000401000.00000020.00000001.01000000.0000000C.sdmpString found in binary or memory: http://litemanager.ru/noip.txtU
                  Source: 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A408000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A446000.00000004.00000020.00020000.00000000.sdmp, 675fde.msi.5.dr, ms.msi.0.drString found in binary or memory: http://ocsp.thawte.com0
                  Source: 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A408000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A446000.00000004.00000020.00020000.00000000.sdmp, 675fde.msi.5.dr, ms.msi.0.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                  Source: 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A408000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A446000.00000004.00000020.00020000.00000000.sdmp, 675fde.msi.5.dr, ms.msi.0.drString found in binary or memory: http://s2.symcb.com0
                  Source: 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A408000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A446000.00000004.00000020.00020000.00000000.sdmp, 675fde.msi.5.dr, ms.msi.0.drString found in binary or memory: http://sv.symcb.com/sv.crl0f
                  Source: 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A408000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A446000.00000004.00000020.00020000.00000000.sdmp, 675fde.msi.5.dr, ms.msi.0.drString found in binary or memory: http://sv.symcb.com/sv.crt0
                  Source: 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A408000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A446000.00000004.00000020.00020000.00000000.sdmp, 675fde.msi.5.dr, ms.msi.0.drString found in binary or memory: http://sv.symcd.com0&
                  Source: 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A408000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A446000.00000004.00000020.00020000.00000000.sdmp, 675fde.msi.5.dr, ms.msi.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                  Source: 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A408000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A446000.00000004.00000020.00020000.00000000.sdmp, 675fde.msi.5.dr, ms.msi.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                  Source: 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A408000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A446000.00000004.00000020.00020000.00000000.sdmp, 675fde.msi.5.dr, ms.msi.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                  Source: MSI6694.tmp.5.drString found in binary or memory: http://www.LiteManagerTeam.com
                  Source: ROMFUSClient.exe, 0000000B.00000000.1806255889.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, ROMFUSClient.exe, 0000000B.00000003.1831206649.0000000002A07000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000C.00000003.1827685942.00000000027F7000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000C.00000000.1812231802.0000000000951000.00000020.00000001.01000000.0000000C.sdmp, ROMFUSClient.exe, 0000000E.00000003.1849439942.00000000029F7000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000F.00000003.1843162771.0000000002B37000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000010.00000003.1887504046.0000000002877000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 00000011.00000003.1884190514.0000000002A67000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 00000012.00000002.3580742486.00000000014F7000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000014.00000002.3580707479.0000000002827000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000015.00000002.3580857023.00000000027F7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.indyproject.org/
                  Source: 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A408000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A446000.00000004.00000020.00020000.00000000.sdmp, 675fde.msi.5.dr, ms.msi.0.drString found in binary or memory: http://www.symauth.com/cps0(
                  Source: 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A408000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A446000.00000004.00000020.00020000.00000000.sdmp, 675fde.msi.5.dr, ms.msi.0.drString found in binary or memory: http://www.symauth.com/rpa00
                  Source: 2D85F72862B55C4EADD9E66E06947F3D0.8.drString found in binary or memory: http://x1.i.lencr.org/
                  Source: 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A408000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A446000.00000004.00000020.00020000.00000000.sdmp, 675fde.msi.5.dr, ms.msi.0.drString found in binary or memory: https://d.symcb.com/cps0%
                  Source: 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A408000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A446000.00000004.00000020.00020000.00000000.sdmp, 675fde.msi.5.dr, ms.msi.0.drString found in binary or memory: https://d.symcb.com/rpa0
                  Source: svchost.exe, 00000009.00000003.1746773700.000001B231AC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
                  Source: svchost.exe, 00000009.00000003.1746773700.000001B231A56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
                  Source: svchost.exe, 00000009.00000003.1746773700.000001B231AC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
                  Source: svchost.exe, 00000009.00000003.1746773700.000001B231AA3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1746773700.000001B231AC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                  Source: svchost.exe, 00000009.00000003.1746773700.000001B231AC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
                  Source: ROMFUSClient.exe, 0000000B.00000000.1806255889.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, ROMServer.exe, 0000000C.00000000.1812231802.0000000000401000.00000020.00000001.01000000.0000000C.sdmpString found in binary or memory: https://litemanager.com/romversion.txt
                  Source: ROMFUSClient.exe, 0000000B.00000000.1806255889.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, ROMServer.exe, 0000000C.00000000.1812231802.0000000000401000.00000020.00000001.01000000.0000000C.sdmpString found in binary or memory: https://litemanager.com/soft/pro/ROMServer.zip
                  Source: svchost.exe, 00000009.00000003.1746773700.000001B231AC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
                  Source: svchost.exe, 00000009.00000003.1746773700.000001B231A56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:

                  System Summary

                  barindex
                  Initial sample is a PE file and has a suspicious name
                  Source: initial sampleStatic PE information: Filename: 0442.pdf.exe
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6414EC2F0: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6414EC2F0
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\675fde.msiJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{71FFA475-24D5-44FB-A51F-39B699E3D82C}Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6694.tmpJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exeJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exeJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exeJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exeJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exeJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\675fe1.msiJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\675fe1.msiJump to behavior
                  Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                  Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\675fe1.msiJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF64150B1900_2_00007FF64150B190
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6415034840_2_00007FF641503484
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6414FA4AC0_2_00007FF6414FA4AC
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6414EF9300_2_00007FF6414EF930
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6414F49280_2_00007FF6414F4928
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6415107540_2_00007FF641510754
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF64150CE880_2_00007FF64150CE88
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF641501F200_2_00007FF641501F20
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6414E5E240_2_00007FF6414E5E24
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6414E72880_2_00007FF6414E7288
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6414F126C0_2_00007FF6414F126C
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6414EA3100_2_00007FF6414EA310
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6414EC2F00_2_00007FF6414EC2F0
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6414FF1800_2_00007FF6414FF180
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6415021D00_2_00007FF6415021D0
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6414FB5340_2_00007FF6414FB534
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6415053F00_2_00007FF6415053F0
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6414E76C00_2_00007FF6414E76C0
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6415225500_2_00007FF641522550
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6414E48400_2_00007FF6414E4840
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF64151C8380_2_00007FF64151C838
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF641502AB00_2_00007FF641502AB0
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6414E1AA40_2_00007FF6414E1AA4
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF64151FA940_2_00007FF64151FA94
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6414F1A480_2_00007FF6414F1A48
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF641525AF80_2_00007FF641525AF8
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6415189A00_2_00007FF6415189A0
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6414FC96C0_2_00007FF6414FC96C
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6415039640_2_00007FF641503964
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6414FBB900_2_00007FF6414FBB90
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF641504B980_2_00007FF641504B98
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6414F5B600_2_00007FF6414F5B60
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF641518C1C0_2_00007FF641518C1C
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6414FAF180_2_00007FF6414FAF18
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF641502D580_2_00007FF641502D58
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF641508DF40_2_00007FF641508DF4
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6415107540_2_00007FF641510754
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6415220800_2_00007FF641522080
                  Source: ROMViewer.exe.5.drStatic PE information: Resource name: RT_VERSION type: Intel ia64 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                  Source: ROMServer.exe.5.drStatic PE information: Resource name: RT_VERSION type: Intel ia64 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                  Source: ROMServer.exe0.5.drStatic PE information: Resource name: RT_VERSION type: Intel ia64 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                  Source: ROMServer.exe.5.drStatic PE information: Number of sections : 11 > 10
                  Source: ROMFUSClient.exe.5.drStatic PE information: Number of sections : 11 > 10
                  Source: ROMServer.exe0.5.drStatic PE information: Number of sections : 11 > 10
                  Source: ROMViewer.exe.5.drStatic PE information: Number of sections : 11 > 10
                  Source: ROMViewer.exe.5.drStatic PE information: Resource name: RT_RCDATA type: Delphi compiled form 'TfmEditBinaryValue'
                  Source: 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A452000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs 0442.pdf.exe
                  Source: 0442.pdf.exe, 00000000.00000003.1719082545.000001FD263F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsiexec.exeX vs 0442.pdf.exe
                  Source: 0442.pdf.exe, 00000000.00000002.1724730932.000001FD263F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAcrobat.exe< vs 0442.pdf.exe
                  Source: 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A460000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs 0442.pdf.exe
                  Source: 0442.pdf.exe, 00000000.00000003.1722421395.000001FD263F4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAcrobat.exe< vs 0442.pdf.exe
                  Source: 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A408000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameISRegSvr.dll vs 0442.pdf.exe
                  Source: 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A3CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs 0442.pdf.exe
                  Source: 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A3CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSetAllUsers.dll< vs 0442.pdf.exe
                  Source: 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A46C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs 0442.pdf.exe
                  Source: classification engineClassification label: mal88.troj.evad.winEXE@46/95@1/3
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6414EB6D8 GetLastError,FormatMessageW,LocalFree,0_2_00007FF6414EB6D8
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF641508624 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00007FF641508624
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - ServerJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeFile created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journalJump to behavior
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ROMFUSLocal
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ROMFUSTray
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7428:120:WilError_03
                  Source: C:\Users\user\Desktop\0442.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_6773328Jump to behavior
                  Source: Yara matchFile source: 12.0.ROMServer.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.ROMFUSClient.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000B.00000000.1806255889.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000000.1812231802.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                  Source: Yara matchFile source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe, type: DROPPED
                  Source: C:\Users\user\Desktop\0442.pdf.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\start.bat" "
                  Source: 0442.pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Users\user\Desktop\0442.pdf.exeFile read: C:\Windows\win.iniJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: 0442.pdf.exeVirustotal: Detection: 44%
                  Source: 0442.pdf.exeReversingLabs: Detection: 26%
                  Source: C:\Users\user\Desktop\0442.pdf.exeFile read: C:\Users\user\Desktop\0442.pdf.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\0442.pdf.exe "C:\Users\user\Desktop\0442.pdf.exe"
                  Source: C:\Users\user\Desktop\0442.pdf.exeProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ms.msi" /qn
                  Source: C:\Users\user\Desktop\0442.pdf.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\start.bat" "
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\0442.pdf.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\doc.pdf"
                  Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                  Source: C:\Users\user\Desktop\0442.pdf.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\doc2.pdf"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 8.8.8.8
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2108 --field-trial-handle=1720,i,4460427527233058691,5362964774260238234,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /siex /silentinstall
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /firewall
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /start
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start
                  Source: unknownProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe"
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe"
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                  Source: C:\Users\user\Desktop\0442.pdf.exeProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ms.msi" /qnJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\start.bat" "Jump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\doc.pdf"Jump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\doc2.pdf"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 8.8.8.8Jump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /siex /silentinstallJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /firewallJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /startJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2108 --field-trial-handle=1720,i,4460427527233058691,5362964774260238234,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe"
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: dxgidebug.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: riched20.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: usp10.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: msls31.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: dlnashext.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wpdshext.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ntshrui.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: cscapi.dllJump to behavior
                  Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: avicap32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: netapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: dsound.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: netutils.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: umpdc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: fwpuclnt.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: idndl.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: dwmapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: propsys.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: profapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: edputil.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: urlmon.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: iertutil.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: srvcli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wintypes.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: appresolver.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: bcp47langs.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: slc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: userenv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: sppc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: apphelp.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: pcacli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: mpr.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: sfc_os.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: apphelp.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: avicap32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: netapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: avifil32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: dsound.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: netutils.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: umpdc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: avicap32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: netapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: dsound.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: netutils.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: umpdc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: fwpuclnt.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: idndl.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: dwmapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: propsys.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: profapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: edputil.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: urlmon.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: iertutil.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: srvcli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wintypes.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: appresolver.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: bcp47langs.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: slc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: userenv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: sppc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: pcacli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: mpr.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: sfc_os.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: avicap32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: netapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: avifil32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: dsound.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: netutils.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: umpdc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: firewallapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: dnsapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: fwbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: fwpolicyiomgr.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: sxs.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: avicap32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: netapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: dsound.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: netutils.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: umpdc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: fwpuclnt.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: idndl.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: dwmapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: propsys.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: profapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: edputil.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: urlmon.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: iertutil.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: srvcli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wintypes.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: appresolver.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: bcp47langs.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: slc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: userenv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: sppc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: pcacli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: mpr.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: sfc_os.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: avicap32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: netapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: avifil32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: dsound.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: netutils.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: umpdc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: avicap32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: netapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: avifil32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: dsound.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: netutils.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: umpdc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: fwpuclnt.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: idndl.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: ntmarta.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msxml6.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iccvid.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msrle32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvidc32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: tsbyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iccvid.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msrle32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvidc32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: tsbyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iccvid.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msrle32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvidc32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: tsbyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iccvid.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msrle32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvidc32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: tsbyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iccvid.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msrle32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvidc32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: tsbyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iccvid.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msrle32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvidc32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: userenv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: tsbyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: profapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iccvid.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msrle32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvidc32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: tsbyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: mswsock.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wininet.dll
                  Source: C:\Users\user\Desktop\0442.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                  Source: Start LM-Server.lnk.5.drLNK file: ..\..\..\..\..\..\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                  Source: Uninstall LiteManager - Server.lnk.5.drLNK file: ..\..\..\..\..\..\Windows\SysWOW64\msiexec.exe
                  Source: Stop LM-Server.lnk.5.drLNK file: ..\..\..\..\..\..\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                  Source: Settings for LM-Server.lnk.5.drLNK file: ..\..\..\..\..\..\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: 0442.pdf.exeStatic PE information: Image base 0x140000000 > 0x60000000
                  Source: 0442.pdf.exeStatic file information: File size 11409543 > 1048576
                  Source: 0442.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: 0442.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: 0442.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: 0442.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: 0442.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: 0442.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: 0442.pdf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                  Source: 0442.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: 0442.pdf.exe
                  Source: 0442.pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: 0442.pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: 0442.pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: 0442.pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: 0442.pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: C:\Users\user\Desktop\0442.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_6773328Jump to behavior
                  Source: 0442.pdf.exeStatic PE information: section name: .didat
                  Source: 0442.pdf.exeStatic PE information: section name: _RDATA
                  Source: ROMViewer.exe.5.drStatic PE information: section name: .didata
                  Source: ROMFUSClient.exe.5.drStatic PE information: section name: .didata
                  Source: ROMwln.dll.5.drStatic PE information: section name: .didata
                  Source: ROMServer.exe.5.drStatic PE information: section name: .didata
                  Source: HookDrv.dll.5.drStatic PE information: section name: .didata
                  Source: ROMServer.exe0.5.drStatic PE information: section name: .didata
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF641525156 push rsi; retf 0_2_00007FF641525157
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF641525166 push rsi; retf 0_2_00007FF641525167
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMServer.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - Server\ROMwln.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - Server\EULA.rtfJump to behavior
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\romserver.exe
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - ServerJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Start LM-Server.lnkJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Uninstall LiteManager - Server.lnkJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Stop LM-Server.lnkJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Settings for LM-Server.lnkJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Icon mismatch, binary includes an icon from a different legit application in order to fool users
                  Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (132).png
                  Uses an obfuscated file name to hide its real file extension (double extension)
                  Source: Possible double extension: pdf.exeStatic PE information: 0442.pdf.exe
                  Source: C:\Windows\System32\msiexec.exeKey value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\LiteManager\v3.4\Server\Parameters NoIPSettingsJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMServer.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\ROMwln.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exeJump to dropped file
                  Source: C:\Windows\System32\svchost.exe TID: 8064Thread sleep time: -30000s >= -30000s
                  Source: C:\Windows\System32\svchost.exe TID: 8488Thread sleep time: -30000s >= -30000s
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe TID: 8236Thread sleep count: 58 > 30
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe TID: 9004Thread sleep time: -156500s >= -30000s
                  Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\PING.EXELast function: Thread delayed
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeLast function: Thread delayed
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeLast function: Thread delayed
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF64150B190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF64150B190
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6414F40BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6414F40BC
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF64151FCA0 FindFirstFileExA,0_2_00007FF64151FCA0
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6415116A4 VirtualQuery,GetSystemInfo,0_2_00007FF6415116A4
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeFile opened: C:\Windows\SysWOW64\wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeFile opened: C:\Windows\SysWOW64\winspool.drv
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\COMCTL32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeFile opened: C:\Windows\SysWOW64\
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeFile opened: C:\Windows\SysWOW64\winmm.dll
                  Source: ROMFUSClient.exe, 0000000B.00000002.1833475633.0000000000C89000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: svchost.exe, 00000009.00000002.3429021282.000001B23185D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.3427620774.000001B22C22B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: ROMFUSClient.exe, 0000000B.00000002.1833475633.0000000000C89000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                  Source: ROMServer.exe, 00000012.00000002.3579999575.0000000000DB8000.00000004.00000020.00020000.00000000.sdmp, ROMFUSClient.exe, 00000014.00000002.3579966201.0000000000C58000.00000004.00000020.00020000.00000000.sdmp, ROMFUSClient.exe, 00000015.00000002.3580071969.0000000000D38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF641513170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF641513170
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF641520D20 GetProcessHeap,0_2_00007FF641520D20
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess token adjusted: Debug
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess token adjusted: Debug
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /startJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF641513170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF641513170
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF641512510 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF641512510
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF641513354 SetUnhandledExceptionFilter,0_2_00007FF641513354
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6415176D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6415176D8
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF64150B190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF64150B190
                  Source: C:\Users\user\Desktop\0442.pdf.exeProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ms.msi" /qnJump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\start.bat" "Jump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\doc.pdf"Jump to behavior
                  Source: C:\Users\user\Desktop\0442.pdf.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\doc2.pdf"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 8.8.8.8Jump to behavior
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6415258E0 cpuid 0_2_00007FF6415258E0
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_00007FF64150A2CC
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF641510754 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF641510754
                  Source: C:\Users\user\Desktop\0442.pdf.exeCode function: 0_2_00007FF6414F51A4 GetVersionExW,0_2_00007FF6414F51A4

                  Remote Access Functionality

                  barindex
                  Enables remote desktop connection
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server AllowRemoteRPC

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information1
                  Scripting                  		1
                  Replication Through Removable Media                  		Windows Management Instrumentation1
                  Scripting                  		1
                  Exploitation for Privilege Escalation                  		1
                  Disable or Modify Tools                  		OS Credential Dumping1
                  System Time Discovery                  		1
                  Remote Desktop Protocol                  		1
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/Job1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		11
                  Obfuscated Files or Information                  		LSASS Memory11
                  Peripheral Device Discovery                  		Remote Desktop ProtocolData from Removable Media1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAt1
                  Windows Service                  		1
                  Windows Service                  		1
                  Software Packing                  		Security Account Manager3
                  File and Directory Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron1
                  Registry Run Keys / Startup Folder                  		11
                  Process Injection                  		1
                  DLL Side-Loading                  		NTDS65
                  System Information Discovery                  		Distributed Component Object ModelInput Capture1
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                  Registry Run Keys / Startup Folder                  		1
                  File Deletion                  		LSA Secrets31
                  Security Software Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts222
                  Masquerading                  		Cached Domain Credentials2
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Modify Registry                  		DCSync1
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                  Virtualization/Sandbox Evasion                  		Proc Filesystem1
                  Remote System Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                  Process Injection                  		/etc/passwd and /etc/shadow1
                  System Network Configuration Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1580649 Sample: 0442.pdf.exe Startdate: 25/12/2024 Architecture: WINDOWS Score: 88 62 x1.i.lencr.org 2->62 64 bg.microsoft.map.fastly.net 2->64 72 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 Sigma detected: Suspicious Double Extension File Execution 2->76 78 3 other signatures 2->78 9 ROMServer.exe 2->9         started        13 msiexec.exe 98 61 2->13         started        16 0442.pdf.exe 6 11 2->16         started        18 svchost.exe 2->18         started        signatures3 process4 dnsIp5 66 101.99.91.150, 49796, 49797, 49798 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 9->66 80 Enables remote desktop connection 9->80 82 Enables network access during safeboot for specific services 9->82 20 ROMFUSClient.exe 9->20         started        22 ROMFUSClient.exe 9->22         started        54 C:\Program Files (x86)\...\ROMServer.exe, PE32 13->54 dropped 56 stop_server_51B516...3C56354EA2277C2.exe, PE32 13->56 dropped 58 config_server_B6BD...764F06ADFFD6458.exe, PE32 13->58 dropped 60 9 other files (none is malicious) 13->60 dropped 24 ROMFUSClient.exe 13->24         started        26 ROMFUSClient.exe 13->26         started        28 ROMFUSClient.exe 13->28         started        30 cmd.exe 1 16->30         started        33 Acrobat.exe 72 16->33         started        35 Acrobat.exe 41 16->35         started        37 msiexec.exe 16->37         started        68 127.0.0.1 unknown unknown 18->68 file6 signatures7 process8 signatures9 39 ROMServer.exe 24->39         started        41 ROMServer.exe 26->41         started        43 ROMServer.exe 28->43         started        84 Uses ping.exe to check the status of other devices and networks 30->84 45 PING.EXE 1 30->45         started        48 conhost.exe 30->48         started        50 AcroCEF.exe 107 33->50         started        process10 dnsIp11 70 8.8.8.8 GOOGLEUS United States 45->70 52 AcroCEF.exe 50->52         started        process12

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  0442.pdf.exe44%VirustotalBrowse
                  0442.pdf.exe26%ReversingLabsWin64.Trojan.Uztuby

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dll0%ReversingLabs
                  C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dll0%ReversingLabs
                  C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe3%ReversingLabs
                  C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe8%ReversingLabs
                  C:\Program Files (x86)\LiteManager Pro - Server\ROMwln.dll0%ReversingLabs
                  C:\Program Files (x86)\LiteManager Pro - Server\files\ROMServer.exe3%ReversingLabs
                  C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe3%ReversingLabs
                  C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exe0%ReversingLabs
                  C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exe0%ReversingLabs
                  C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exe0%ReversingLabs
                  C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exe0%ReversingLabs
                  C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exe0%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://litemanager.ru/0%Avira URL Cloudsafe
                  http://www.LiteManagerTeam.com0%Avira URL Cloudsafe
                  https://litemanager.com/romversion.txt0%Avira URL Cloudsafe
                  http://litemanager.com/030%Avira URL Cloudsafe
                  https://litemanager.com/soft/pro/ROMServer.zip0%Avira URL Cloudsafe
                  http://litemanager.com/10%Avira URL Cloudsafe
                  http://litemanager.ru/noip.txtU0%Avira URL Cloudsafe
                  http://litemanager.com/03Y0%Avira URL Cloudsafe
                  http://litemanager.com/0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  bg.microsoft.map.fastly.net
                  		199.232.210.172
                  		truefalse
                    		high
                    x1.i.lencr.org
                    		unknown
                    		unknownfalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://litemanager.com/1ROMServer.exe, 00000012.00000002.3580742486.000000000158C000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000015.00000002.3580857023.000000000288C000.00000004.00001000.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://litemanager.ru/ROMFUSClient.exe, 0000000B.00000000.1807368103.00000000008E4000.00000002.00000001.01000000.0000000B.sdmp, ROMServer.exe, 0000000C.00000000.1824434137.00000000009FE000.00000002.00000001.01000000.0000000C.sdmp, Russian.lg.5.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://g.live.com/odclientsettings/Prod.C:svchost.exe, 00000009.00000003.1746773700.000001B231A56000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://x1.i.lencr.org/2D85F72862B55C4EADD9E66E06947F3D0.8.drfalse
                          		high
                          https://litemanager.com/soft/pro/ROMServer.zipROMFUSClient.exe, 0000000B.00000000.1806255889.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, ROMServer.exe, 0000000C.00000000.1812231802.0000000000401000.00000020.00000001.01000000.0000000C.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://litemanager.com/03ROMFUSClient.exe, 00000015.00000002.3580857023.0000000002893000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://g.live.com/odclientsettings/ProdV2svchost.exe, 00000009.00000003.1746773700.000001B231AC2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://litemanager.com/romversion.txtROMFUSClient.exe, 0000000B.00000000.1806255889.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, ROMServer.exe, 0000000C.00000000.1812231802.0000000000401000.00000020.00000001.01000000.0000000C.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://crl.thawte.com/ThawteTimestampingCA.crl00442.pdf.exe, 00000000.00000003.1715364678.000001FD2A408000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A446000.00000004.00000020.00020000.00000000.sdmp, 675fde.msi.5.dr, ms.msi.0.drfalse
                              		high
                              https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 00000009.00000003.1746773700.000001B231AC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.symauth.com/rpa000442.pdf.exe, 00000000.00000003.1715364678.000001FD2A408000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A446000.00000004.00000020.00020000.00000000.sdmp, 675fde.msi.5.dr, ms.msi.0.drfalse
                                  		high
                                  http://ocsp.thawte.com00442.pdf.exe, 00000000.00000003.1715364678.000001FD2A408000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A446000.00000004.00000020.00020000.00000000.sdmp, 675fde.msi.5.dr, ms.msi.0.drfalse
                                    		high
                                    http://litemanager.ru/noip.txtUROMServer.exe, 0000000C.00000000.1812231802.0000000000401000.00000020.00000001.01000000.0000000C.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://crl.ver)svchost.exe, 00000009.00000002.3428915948.000001B231800000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000009.00000003.1746773700.000001B231AA3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1746773700.000001B231AC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://litemanager.com/ROMFUSClient.exe, 0000000B.00000000.1807368103.00000000008E4000.00000002.00000001.01000000.0000000B.sdmp, ROMServer.exe, 0000000C.00000000.1824434137.00000000009FE000.00000002.00000001.01000000.0000000C.sdmp, ROMServer.exe, 00000012.00000002.3580742486.000000000158C000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000015.00000002.3580857023.000000000278C000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000015.00000002.3580857023.000000000288C000.00000004.00001000.00020000.00000000.sdmp, MSI6694.tmp.5.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.LiteManagerTeam.comMSI6694.tmp.5.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.indyproject.org/ROMFUSClient.exe, 0000000B.00000000.1806255889.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, ROMFUSClient.exe, 0000000B.00000003.1831206649.0000000002A07000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000C.00000003.1827685942.00000000027F7000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000C.00000000.1812231802.0000000000951000.00000020.00000001.01000000.0000000C.sdmp, ROMFUSClient.exe, 0000000E.00000003.1849439942.00000000029F7000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000F.00000003.1843162771.0000000002B37000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000010.00000003.1887504046.0000000002877000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 00000011.00000003.1884190514.0000000002A67000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 00000012.00000002.3580742486.00000000014F7000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000014.00000002.3580707479.0000000002827000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000015.00000002.3580857023.00000000027F7000.00000004.00001000.00020000.00000000.sdmpfalse
                                          		high
                                          http://litemanager.com/03YROMServer.exe, 00000012.00000002.3580742486.0000000001593000.00000004.00001000.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.symauth.com/cps0(0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A408000.00000004.00000020.00020000.00000000.sdmp, 0442.pdf.exe, 00000000.00000003.1715364678.000001FD2A446000.00000004.00000020.00020000.00000000.sdmp, 675fde.msi.5.dr, ms.msi.0.drfalse
                                            		high
                                            https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000009.00000003.1746773700.000001B231AC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              8.8.8.8
                                              		unknownUnited States
                                              		15169GOOGLEUSfalse
                                              101.99.91.150
                                              		unknownMalaysia
                                              		45839SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMYtrue

                                              Private

                                              IP
                                              127.0.0.1

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1580649
                                              Start date and time:2024-12-25 15:16:54 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 8m 28s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Run name:Run with higher sleep bypass
                                              Number of analysed new started processes analysed:25
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:0442.pdf.exe
                                              renamed because original name is a hash value
                                              Original Sample Name: .pdf.exe
                                              Detection:MAL
                                              Classification:mal88.troj.evad.winEXE@46/95@1/3
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HCA Information:
                                              • Successful, ratio: 100%
                                              • Number of executed functions: 69
                                              • Number of non-executed functions: 93
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe
                                              • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                              • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                              • Excluded IPs from analysis (whitelisted): 184.28.88.176, 172.64.41.3, 162.159.61.3, 2.19.126.149, 2.19.126.143, 52.6.155.20, 3.219.243.226, 3.233.129.217, 52.22.41.97, 184.28.90.27, 23.195.39.65, 2.22.50.131, 2.22.50.144, 88.221.168.141, 18.213.11.84, 4.245.163.56, 13.107.246.63
                                              • Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, e4578.dscb.akamaiedge.net, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, ocsp.digicert.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net, fs.microsoft.com, otelrules.azureedge.net, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, p13n.adobe.io, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, ssl.adobe.com.edgekey.net, armmf.adobe.com, geo2.adobe.com
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              No simulations

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              bg.microsoft.map.fastly.netyvaKqhmD4L.exeGet hashmaliciousUnknownBrowse
                                              • 199.232.210.172
                                              #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeGet hashmaliciousUnknownBrowse
                                              • 199.232.210.172
                                              IoIB9gQ6OQ.exeGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                                              • 199.232.210.172
                                              eCompleted_419z.pdfGet hashmaliciousHTMLPhisherBrowse
                                              • 199.232.214.172
                                              3FG4bsfkEwmxFYY.exeGet hashmaliciousFormBookBrowse
                                              • 199.232.214.172
                                              #U5b89#U88c5#U52a9#U624b1.0.3.exeGet hashmaliciousUnknownBrowse
                                              • 199.232.214.172
                                              eCompleted_419z.pdfGet hashmaliciousUnknownBrowse
                                              • 199.232.210.172
                                              Onboard Training Checklist v1.1 - Wyatt Young (1).xlsxGet hashmaliciousUnknownBrowse
                                              • 199.232.214.172
                                              94e.exeGet hashmaliciousRemcosBrowse
                                              • 199.232.214.172

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY94e.exeGet hashmaliciousRemcosBrowse
                                              • 101.99.94.64
                                              94e.exeGet hashmaliciousRemcosBrowse
                                              • 101.99.94.64
                                              0442.pdf.exeGet hashmaliciousRemcosBrowse
                                              • 101.99.94.64
                                              file.exeGet hashmaliciousInvicta Stealer, XWormBrowse
                                              • 101.99.92.189
                                              http://www.recorderkorea.com/shop/proc/indb.cart.tab.php?action=ok&tab=today&type=delete&returnUrl=https://23058.hicleanly.ca/uoeujd/shuhsdy/odog/kratos/REDIRECT/Zl2jyY/compliance@yourmom.comGet hashmaliciousUnknownBrowse
                                              • 101.99.81.34
                                              lg1wwLsmCX.exeGet hashmaliciousUnknownBrowse
                                              • 101.99.75.174
                                              lg1wwLsmCX.exeGet hashmaliciousUnknownBrowse
                                              • 101.99.75.174
                                              IFhqcKaIol.lnkGet hashmaliciousUnknownBrowse
                                              • 101.99.75.174
                                              Scan_03774843.pdfGet hashmaliciousUnknownBrowse
                                              • 101.99.77.51

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dll0438.pdf.exeGet hashmaliciousUnknownBrowse
                                                0438.pdf.exeGet hashmaliciousUnknownBrowse
                                                  gBYz86HSwI.msiGet hashmaliciousUnknownBrowse
                                                    0438.pdf.exeGet hashmaliciousUnknownBrowse
                                                      0438.pdf.exeGet hashmaliciousUnknownBrowse
                                                        0438.pdf.exeGet hashmaliciousUnknownBrowse
                                                          C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dll0438.pdf.exeGet hashmaliciousUnknownBrowse
                                                            0438.pdf.exeGet hashmaliciousUnknownBrowse
                                                              gBYz86HSwI.msiGet hashmaliciousUnknownBrowse
                                                                0438.pdf.exeGet hashmaliciousUnknownBrowse
                                                                  0438.pdf.exeGet hashmaliciousUnknownBrowse
                                                                    0438.pdf.exeGet hashmaliciousUnknownBrowse

                                                                      Created / dropped Files

                                                                      C:\Config.Msi\675fe0.rbs

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:modified
                                                                      Size (bytes):23984
                                                                      Entropy (8bit):5.167530144913046
                                                                      Encrypted:false
                                                                      SSDEEP:192:kmC7js8t8t+CqZ+6ySyDy6ylNbywyYylygy2fhWBiBNMBiBNvBiBNq5yoio2YUgs:kH75t8t+CqZ+cNbynfhzOj3IXygyVOVi
                                                                      MD5:2CCC85B6A0BE7513E3622B79D6A5AC1A
                                                                      SHA1:E7A22D7D8A67D5E163806FEBA4390E907C9A6DA5
                                                                      SHA-256:89B41C016BF9B834415BD7AE07E89CA8E62F07A774AB01063B0CC8D3536DC762
                                                                      SHA-512:B6A13E2CCFA0D7C51691668B35C6077AA1CA96D4404CBDAADDF7F01557F3DFA04DDCAD8FC702FD9F989800A31498C3F4162C69C3AC943B3376F06C8DFB4AF45C
                                                                      Malicious:false
                                                                      Preview:...@IXOS.@.....@;J.Y.@.....@.....@.....@.....@.....@......&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}..LiteManager Pro - Server..ms.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}.....@.....@.....@.....@.......@.....@.....@.......@......LiteManager Pro - Server......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{3244CDE6-6414-4399-B0D5-424562747210}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{4D4D18AA-F74D-4291-B5A9-93C3CC48B75F}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{641F154A-FEEF-4FA7-B5BF-414DB1DB8390}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{26EAB54E-4659-47E8-86F9-4CB74F7E03BE}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{596F4636-5D51-49F5-B3B4-F3C366E9DC23}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{596F4636-5D51-49F5-B3B4-F3C366E9DC23}&.{00000000-0000-0000-0000-000000000000}.@......&.{A3DC5A2F-2249-4674-BE

                                                                      C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dll

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):132032
                                                                      Entropy (8bit):6.10195829980833
                                                                      Encrypted:false
                                                                      SSDEEP:3072:sh/1J7RYdzZU4Z5tegH1q888888888888W888888888882zgP:sh/jIZPZ5tJ8888888888888W888888s
                                                                      MD5:C40455A478E0B76521130D9DAAAADC4B
                                                                      SHA1:42DE923D5E36A9F56B002DD66DB245BC44480089
                                                                      SHA-256:308085BC357BF3A3BEE0D662FCC01628E9EE2FFD478AE0F1E7140939AD99B892
                                                                      SHA-512:76ED6D763F603BCAA7FE186C0A7449E614DCDB18036F7587C6E5A11C3F3269E400E3D2062856CC280AC20C094617924783B6C360F25AF66767DCC53C2F3045C9
                                                                      Malicious:false
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      Joe Sandbox View:
                                                                      • Filename: 0438.pdf.exe, Detection: malicious, Browse
                                                                      • Filename: 0438.pdf.exe, Detection: malicious, Browse
                                                                      • Filename: gBYz86HSwI.msi, Detection: malicious, Browse
                                                                      • Filename: 0438.pdf.exe, Detection: malicious, Browse
                                                                      • Filename: 0438.pdf.exe, Detection: malicious, Browse
                                                                      • Filename: 0438.pdf.exe, Detection: malicious, Browse
                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....xK............................p........ ..........................................................................\.......\...............................x#...................................................................................text...$........................... ..`.itext.............................. ..`.data...0.... ......................@....bss....xN...@...........................idata..\...........................@....edata..\............&..............@..@.reloc..x#.......$...(..............@..B.rsrc................L..............@..@....................................@..@........................................................................................................................................

                                                                      C:\Program Files (x86)\LiteManager Pro - Server\EULA.rtf

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Rich Text Format data, version 1, ANSI, code page 1251, default language ID 1049
                                                                      Category:dropped
                                                                      Size (bytes):58679
                                                                      Entropy (8bit):4.738446173390891
                                                                      Encrypted:false
                                                                      SSDEEP:768:bkJC7UF9eVWSlBY8Aq9CBGDtD8gX1ZDCZjewbAsCw1vPDQuJPQzusxxeCNHnPPsT:htwqueMZYU
                                                                      MD5:BAED4E7AF33F77350D454B69317EE63B
                                                                      SHA1:2B598774F0C73850A36117F29EA8DAC57BE1C138
                                                                      SHA-256:671D65183C39E53FC1759C45B105A0FBE2D3A216E4099B66D5FCF274EA625E07
                                                                      SHA-512:E740997BDECB8F907A000D01BF3E823898A1289D1DBFAE5BF342D4BCB6FF09D258317955F4FD858FF6B239E5BA08E49E90CDEC06E24DABDB18C1CF2D8943590C
                                                                      Malicious:false
                                                                      Preview:{\rtf1\ansi\ansicpg1251\uc1\deff0\stshfdbch0\stshfloch37\stshfhich37\stshfbi37\deflang1049\deflangfe1049{\fonttbl{\f0\froman\fcharset204\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times New Roman};}..{\f1\fswiss\fcharset204\fprq2{\*\panose 020b0604020202020204}Arial;}{\f2\fmodern\fcharset204\fprq1{\*\panose 02070309020205020404}Courier New;}{\f3\froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol;}..{\f10\fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings;}{\f37\fswiss\fcharset204\fprq2{\*\panose 020f0502020204030204}Calibri;}{\f211\froman\fcharset0\fprq2 Times New Roman{\*\falt Times New Roman};}..{\f209\froman\fcharset238\fprq2 Times New Roman CE{\*\falt Times New Roman};}{\f212\froman\fcharset161\fprq2 Times New Roman Greek{\*\falt Times New Roman};}{\f213\froman\fcharset162\fprq2 Times New Roman Tur{\*\falt Times New Roman};}..{\f214\froman\fcharset177\fprq2 Times New Roman (Hebrew){\*\falt Times New Roman};}{\f215\froman\fcharset178\fprq2 Time

                                                                      C:\Program Files (x86)\LiteManager Pro - Server\English.lg

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):89220
                                                                      Entropy (8bit):3.469297258214741
                                                                      Encrypted:false
                                                                      SSDEEP:768:YvozCzKUNNfMnuQhgdXT0Z2BPshK+4aCWpQJ3OEInKDcbztlXnpQbbMv3PI:Yvoz4TXTI2pQCWOJvgXnpQbS3PI
                                                                      MD5:B1C96EF24061BF294CAC6C4C9CBF7757
                                                                      SHA1:5D1B1934091E257B5F1C69B13F5FC1E424348584
                                                                      SHA-256:20DB884523DA62C20F80B8A3BB71E11091B90A443B83C06D8FE2A1BBC00C1C33
                                                                      SHA-512:6E90562FD804F91DDADEF2310551063D34B859FF1CC6E58A41667E9CDA062DCA851C8455882EF47CF3E1A8EC21EBD9F0761F15E54174CC4A95427238CB39BA14
                                                                      Malicious:false
                                                                      Preview:..[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d.=.1.0.3.3.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...c.o.m./.....q.u.e.s.t.i.o.n. .=. .Q.u.e.s.t.i.o.n.....e.r.r.o.r. .=. .E.r.r.o.r.....i.n.f.o.r.m.a.t.i.o.n. .=. .I.n.f.o.r.m.a.t.i.o.n.....n.o.t.i.f.i.c.a.t.i.o.n. .=. .N.o.t.i.f.i.c.a.t.i.o.n.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. .C.a.n. .n.o.t. .r.e.a.d. .s.e.r.v.i.c.e. .c.o.n.f.i.g.u.r.a.t.i.o.n...\.n.;.R.e.i.n.s.t.a.l.l. .L.i.t.e.M.a.n.a.g.e.r. .s.e.r.v.i.c.e.?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. .C.a.n. .n.o.t. .s.e.t. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r. .s.e.r.v.i.c.e. .s.t.a.r.t.u.p. .m.o.d.e.......f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. .C.a.n. .n.o.t. .s.e.t. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r. .s.e.r.v.i.c.e. .s.t.a.r.t.u.p. .m.o.d.e...\.n.;.R.e.b.o.o.t. .s.y.s.t.e.m.,. .p.l.e.a.s.e.......

                                                                      C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dll

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):201728
                                                                      Entropy (8bit):6.3607488106285075
                                                                      Encrypted:false
                                                                      SSDEEP:3072:rmqdVRkbN1G3OKtVLqKc3IuQquARCASmShKJ:rmyTmNw3zqKcFLRs
                                                                      MD5:1D4F8CFC7BBF374CCC3AAE6045B2133D
                                                                      SHA1:802EDF0B0ED1D0305BCD6688EE3301366FEC1337
                                                                      SHA-256:C04885562F17BAEEFBCD2D4FC29F054EB8A66C44BD015750498C69A912D94C1F
                                                                      SHA-512:68643A30FEA87B2B61AF546F42BF32A25459152C1BCCE5A8A881714139CE828DFE4237874FF1E9CC3B78D6CDBEF7DD45C9F3459C3337D83693C704C274AFFF3E
                                                                      Malicious:false
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      Joe Sandbox View:
                                                                      • Filename: 0438.pdf.exe, Detection: malicious, Browse
                                                                      • Filename: 0438.pdf.exe, Detection: malicious, Browse
                                                                      • Filename: gBYz86HSwI.msi, Detection: malicious, Browse
                                                                      • Filename: 0438.pdf.exe, Detection: malicious, Browse
                                                                      • Filename: 0438.pdf.exe, Detection: malicious, Browse
                                                                      • Filename: 0438.pdf.exe, Detection: malicious, Browse
                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...|..[.................\...........v............@.................................................................. ...................@...................@...G..................................................$................................text....S.......T.................. ..`.itext..D....p.......X.............. ..`.data...<............`..............@....bss....<Y...............................idata...............z..............@....didata.............................@....edata....... ......................@..@.rdata..E....0......................@..@.reloc...G...@...H..................@..B.rsrc....@.......@..................@..@....................................@..@........................................................

                                                                      C:\Program Files (x86)\LiteManager Pro - Server\Lang\Taiwan.lg

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):61034
                                                                      Entropy (8bit):4.429529654892776
                                                                      Encrypted:false
                                                                      SSDEEP:768:nebbtdP4XFsh6HWiIZTYp7JtMLG54ttg2kGPyWtvQTznCKDMlV2f:ne3KOhTTocL8HnMlV2f
                                                                      MD5:7303B5AE0B8911CEB238DC01419695BE
                                                                      SHA1:22B89BDB8FAEC62BA3E66639E38E6271B593944A
                                                                      SHA-256:88155FB3F0E198AA4A24F9CFECBB83C5A4E081C6EA362BC50294410CB2FB5C50
                                                                      SHA-512:8AE802616AF60BAF214E254F6A55D312DC46B6E3F8BEE5F50E30E372FF38103776278B5FB07A562C2149EEA58107CB427A03B1629F72044AB69D3507E5DFAB15
                                                                      Malicious:false
                                                                      Preview:[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d.=.1.0.2.8.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...c.o.m./.....q.u.e.s.t.i.o.n. .=. .OUL.....e.r.r.o.r. .=. ./.......i.n.f.o.r.m.a.t.i.o.n. .=. ........n.o.t.i.f.i.c.a.t.i.o.n. .=. ....w....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. .!q.l...S.g.RD}Ka.0\.n.;...e.[. .L.i.t.e.M.a.n.a.g.e.r. ..g.R?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. .!q.l-..[ .L.i.t.e.M.a.n.a.g.e.r. .:O.ghV.g.R_U.R!j._.0....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. .!q.l-..[ .L.i.t.e.M.a.n.a.g.e.r. .:O.ghV.g.R_U.R!j._.0\.n.;....e.._j.|q}.0....f.m._.s.e.t.t.i.n.g.s._.r.e.s.t.a.r.t._.s.e.r.v.i.c.e._.t.o._.a.p.p.l.y. .=. ....e_U.R .L.M. .:O.ghV.a(u.z._.NWY(u...f.0....f.m._.s.e.c.u.r.i.t.y._.f.o.r.c.e._.g.u.e.s.t. .=. .7_6R.O.(Wdk.|q}.N-..[.....asTW.@b.g.}..O(u.....S.g.O.X[.S.kP..0 .!q.l.O(u.07_

                                                                      C:\Program Files (x86)\LiteManager Pro - Server\Lang\Turkish.lg

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):58794
                                                                      Entropy (8bit):3.642324420313977
                                                                      Encrypted:false
                                                                      SSDEEP:768:D+XPobz4qFlRiiXc0HwgHSSxnrKT7nke7GShFBy/x97fuTLY57aC7I/Fj:yPQMw1ZOT7kef1y/X7fuTq4j
                                                                      MD5:606DC375E898D7221CCB7CEB8F7C686B
                                                                      SHA1:26DCF93876C89283623B8150C1B79EDB24B6A7EC
                                                                      SHA-256:F442E440580EA35040E35BF1D85A118E7C182FDE0B9BA2A3C1816DEAB5F822BB
                                                                      SHA-512:9FBC42165B51A2020D2DA2FFE33287A4F3AA33639126813B290D329D47C4F4DA8F297A47AF3C1F63AF6F9E1BA47ACE840BC1660D603E17589E5DB6DDA0E1E5B1
                                                                      Malicious:false
                                                                      Preview:..[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d.=.1.0.5.5.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...c.o.m./.....q.u.e.s.t.i.o.n. .=. .S.o.r.u.....e.r.r.o.r. .=. .H.a.t.a.....i.n.f.o.r.m.a.t.i.o.n. .=. .B.i.l.g.i.....n.o.t.i.f.i.c.a.t.i.o.n. .=. .B.i.l.d.i.r.i.m.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. .H.i.z.m.e.t. .y.a.p.1.l.a.n.d.1.r.m.a.s.1. .o.k.u.n.a.m.1.y.o.r...\.n.;.L.i.t.e.M.a.n.a.g.e.r. .h.i.z.m.e.t.i.n.i. .y.e.n.i.d.e.n. .y...k.l.e.m.e.k. .m.i. .i.s.t.i.y.o.r.s.u.n.u.z.?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. .L.i.t.e.M.a.n.a.g.e.r. .h.i.z.m.e.t. .b.a._.l.a.n.g.1... .m.o.d.u.n.u. .a.y.a.r.l.a.y.a.m.1.y.o.r.......f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. .L.i.t.e.M.a.n.a.g.e.r. .h.i.z.m.e.t. .b.a._.l.a.n.g.1... .m.o.d.u.n.u. .a.y.a.r.l.a.y.a.m.1.y.o.r...\.n.;.S.i.s.t.e.m.i. .y.e.n.i.d.e.n. .b.a._.l.

                                                                      C:\Program Files (x86)\LiteManager Pro - Server\Lang\Ukrainian.lg

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Unicode text, UTF-16, little-endian text, with very long lines (305), with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):87912
                                                                      Entropy (8bit):4.303374267443204
                                                                      Encrypted:false
                                                                      SSDEEP:768:VUlHxa/yEOYEJNHWjlUu1pZ26ER2nkUTbfk74Q:aNxWREb4lUu1P29R2JbfC4Q
                                                                      MD5:3FC082E8F516EAD9FC26AC01E737F9EF
                                                                      SHA1:3B67EBCE4400DDCF6B228E5668F3008561FB8F21
                                                                      SHA-256:3DC0CEAE11F445B57B17B7C35A90B5133E313CF6B61550AB418252C5B8089C99
                                                                      SHA-512:9A9D20AF2F8C27056F58AB5A9C687F5124CE5F6D563E396C9558331FB8BE48E88E148B1FDC548A5EBDEDB451E3D89F2F96856F3BBFD695691D5687599F376421
                                                                      Malicious:false
                                                                      Preview:..[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d. .=. .1.0.5.8.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...r.u./.....q.u.e.s.t.i.o.n. .=. ...8.B.0.=.=.O.....e.r.r.o.r. .=. ...>.<.8.;.:.0.....i.n.f.o.r.m.a.t.i.o.n. .=. ...=.D.>.@.<.0.F.V.O.....n.o.t.i.f.i.c.a.t.i.o.n. .=. ...>.2.V.4.>.<.;.5.=.=.O.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. ...5.<.>.6.;.8.2.>. .?.@.>.G.8.B.0.B.8. .:.>.=.D.V.3.C.@.0.F.V.N. .A.;.C.6.1.8...\.n.;...5.@.5.2.A.B.0.=.>.2.8.B.8. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. ...5.<.>.6.;.8.2.>. .2.A.B.0.=.>.2.8.B.8. .@.5.6.8.<. .7.0.?.C.A.:.C. .A.;.C.6.1.8. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.......f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. ...5.<.>.6.;.8.2.>. .2.A.B.0.=.>.2.8.B.8. .@.5.6.8.<. .7.0.?.C.A.:.C. .A.;.C.6.1.8. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.

                                                                      C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):6307408
                                                                      Entropy (8bit):6.5944937257467116
                                                                      Encrypted:false
                                                                      SSDEEP:98304:NwiA/GmKEt3LQ7V8z3uHWkd49GMdqOxaB:NOGmKEt31kd2dqwaB
                                                                      MD5:63D0964168B927D00064AA684E79A300
                                                                      SHA1:B4B9B0E3D92E8A3CBE0A95221B5512DED14EFB64
                                                                      SHA-256:33D1A34FEC88CE59BEB756F5A274FF451CAF171A755AAE12B047E678929E8023
                                                                      SHA-512:894D8A25E9DB3165E0DAAE521F36BBD6F9575D4F46A2597D13DEC8612705634EFEA636A3C4165BA1F7CA3CDC4DC7D4542D0EA9987DE10D2BC5A6ED9D6E05AECB
                                                                      Malicious:false
                                                                      Yara Hits:
                                                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe, Author: Joe Security
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f..................C..F........C.......C...@.......................... i.......`..........@................... N.......M..A...@T...............`.P"...PN.<............................@N.......................M.......N......................text.....C.......C................. ..`.itext...0....C..2....C............. ..`.data... 3....C..4....C.............@....bss........0E..........................idata...A....M..B....E.............@....didata.......N......LE.............@....edata....... N......ZE.............@..@.tls....X....0N..........................rdata..]....@N......\E.............@..@.reloc..<....PN......^E.............@..B.rsrc........@T......DK.............@..@............. i.......`.............@..@................

                                                                      C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):7753808
                                                                      Entropy (8bit):6.615075046955521
                                                                      Encrypted:false
                                                                      SSDEEP:98304:D4/WZQ7lc63BJGS1VFeIEll251o7+YcMBk2VVyN/RTfCAFIqOx9N:DXQ7SIEXeMBk2V4N/Nq2Iqw9N
                                                                      MD5:F3D74B072B9697CF64B0B8445FDC8128
                                                                      SHA1:8408DA5AF9F257D12A8B8C93914614E9E725F54C
                                                                      SHA-256:70186F0710D1402371CE2E6194B03D8A153443CEA5DDB9FC57E7433CCE96AE02
                                                                      SHA-512:004054EF8CDB9E2FEFC3B7783574BFF57D6D5BF9A4624AD88CB7ECCAE29D4DFD2240A0DC60A14480E6722657132082332A3EC3A7C49D37437644A31E59F551AF
                                                                      Malicious:true
                                                                      Yara Hits:
                                                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe, Author: Joe Security
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 8%
                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...w#.f.................ZU... ......qU.......U...@.......................... ........v..........@...................._......`_..K....g.. ............v.P"...._.4............................._..................... m_.|....._......................text....&U......(U................. ..`.itext..$1...@U..2...,U............. ..`.data....@....U..B...^U.............@....bss....0.....V..........................idata...K...`_..L....V.............@....didata......._.......V.............@....edata........_.......V.............@..@.tls....`....._..........................rdata..]....._.......V.............@..@.reloc..4....._.......V.............@..B.rsrc.... ....g.. ....^.............@..@............. ........v.............@..@................

                                                                      C:\Program Files (x86)\LiteManager Pro - Server\ROMwln.dll

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):999944
                                                                      Entropy (8bit):6.626732213066839
                                                                      Encrypted:false
                                                                      SSDEEP:12288:SA9+TVJdg0YMgqAahyv0jKdTq4lrBhqSq/rt8VwGFrt:SRho0lgqA6yvnrBhq/rQDt
                                                                      MD5:ED32E23322D816C3FE2FC3D05972689E
                                                                      SHA1:5EEA702C9F2AC0A1AADAE25B09E7983DA8C82344
                                                                      SHA-256:7F33398B98E225F56CD287060BEFF6773ABB92404AFC21436B0A20124919FE05
                                                                      SHA-512:E505265DD9D88B3199EB0D4B7D8B81B2F4577FABD4271B3C286366F3C1A58479B4DC40CCB8F0045C7CD08FD8BF198029345EEF9D2D2407306B73E5957AD59EDF
                                                                      Malicious:false
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...`.-\.................J...........X.......`....@.................................................................. ...................@...........0.......@.. O...................................................................................text...0?.......@.................. ..`.itext..8....P.......D.............. ..`.data....:...`...<...N..............@....bss.....]...............................idata..............................@....didata.............................@....edata....... ......................@..@.rdata..E....0......................@..@.reloc.. O...@...P..................@..B.rsrc....@.......@..................@..@.....................0..............@..@........................................................

                                                                      C:\Program Files (x86)\LiteManager Pro - Server\Russian.lg

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):94772
                                                                      Entropy (8bit):4.284840986247552
                                                                      Encrypted:false
                                                                      SSDEEP:768:r1kyTyZFOTb6QeZGJXYbFAMrKARuZk7FRwZoFTa2n:rn+2iZGhYbK4KARpAoFTa2n
                                                                      MD5:0E204FABE68B4B65ED5E0834651FB732
                                                                      SHA1:B338A6E54AA18F3F8A573580520F16C74A51F3D2
                                                                      SHA-256:302373D81F0AE15589206420CB01A266804C9FD1C1FF0D6E09CE6BA3FEF92B64
                                                                      SHA-512:AAD76F6A76DC693D959389CE471BC585D0DA72737FED99F42F219FDC7C71617C00E8003A467092E12820A359D672C6FB80D99772F3F6433923B2ABB7EEA40F08
                                                                      Malicious:false
                                                                      Preview:..[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d.=.1.0.4.9.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...r.u./.....q.u.e.s.t.i.o.n. .=. ...>.?.@.>.A.....e.r.r.o.r. .=. ...H.8.1.:.0.....i.n.f.o.r.m.a.t.i.o.n. .=. ...=.D.>.@.<.0.F.8.O.....n.o.t.i.f.i.c.a.t.i.o.n. .=. ...?.>.2.5.I.5.=.8.5.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. ...5.2.>.7.<.>.6.=.>. .?.@.>.G.8.B.0.B.L. .:.>.=.D.8.3.C.@.0.F.8.N. .A.;.C.6.1.K...\.n.;...5.@.5.C.A.B.0.=.>.2.8.B.L. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. ...5.2.>.7.<.>.6.=.>. .C.A.B.0.=.>.2.8.B.L. .@.5.6.8.<. .7.0.?.C.A.:.0. .A.;.C.6.1.K. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.......f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. ...5.2.>.7.<.>.6.=.>. .C.A.B.0.=.>.2.8.B.L. .@.5.6.8.<. .7.0.?.C.A.:.0. .A.;.C.6.1.K. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r...\.n.

                                                                      C:\Program Files (x86)\LiteManager Pro - Server\files\ROMServer.exe

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):7752272
                                                                      Entropy (8bit):6.615186281886958
                                                                      Encrypted:false
                                                                      SSDEEP:98304:y4/WZQ7lc63BJGS1VFeIEll251o7+YcMBk2VVyN/RTfCEFIqOxJn:yXQ7SIEXeMBk2V4N/NqiIqwJn
                                                                      MD5:84FB34E529BEDE393A3F604EAA8137B2
                                                                      SHA1:195EA03B7BD086454A13C0D8357E0A9E447D9EC9
                                                                      SHA-256:1E396C4066AC8F421A54893442A0D76C4F8D4146E63825D67DFC0DA782E73EE5
                                                                      SHA-512:A48A80D62E588667B4C891CDED279BABFFA5FB4FDF092F345212F81D29A9ACAA06E6DB27B49DC601909409A3C82AA9272BCDF90D0AE1738E83E80D9FCA4D93E6
                                                                      Malicious:false
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f.................ZU... ......qU.......U...@.......................... ........v..........@...................._......`_..K....g..............(v.P"...._.4............................._..................... m_.|....._......................text....&U......(U................. ..`.itext..$1...@U..2...,U............. ..`.data....@....U..B...^U.............@....bss....0.....V..........................idata...K...`_..L....V.............@....didata......._.......V.............@....edata........_.......V.............@..@.tls....`....._..........................rdata..]....._.......V.............@..@.reloc..4....._.......V.............@..B.rsrc.........g.......^.............@..@............. .......(v.............@..@................

                                                                      C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):11361360
                                                                      Entropy (8bit):6.496049600782297
                                                                      Encrypted:false
                                                                      SSDEEP:98304:AshiRp5hPI7N9sSA5wbZXJOu/0uOXZYfmQYanSjS+cWuNOlQpgfYLyPsd+QgBBP5:Al5hPwgvyAjDjS+igfgym+bHJxmK
                                                                      MD5:B0E355EC3453C8FFAEE08CD4257E96F2
                                                                      SHA1:0FA023CA8F1C1ECDADDE3DD3BD551870C2D965E2
                                                                      SHA-256:60248BA026064B116E4F94020DABB74DF519F5B4C41379CA19A38D725692CA8E
                                                                      SHA-512:B6004F83FD78EED84BF21611EFA45F2FFADF3625E0A2FDCDAE531B4734A4B886EBFE5EBE990DA42302B7368282D83DFFEF19E71DA8EC4C155EE5C8619AD028DD
                                                                      Malicious:false
                                                                      Yara Hits:
                                                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe, Author: Joe Security
                                                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe, Author: Joe Security
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f..................v..67.......v...... v...@..........................0...................@...................p...........L...p....+..........:..P"...................................................................`.......................text.....u.......u................. ..`.itext...6....u..8....u............. ..`.data....R... v..T....v.............@....bss.........w..........................idata...L.......N...Xw.............@....didata......`........w.............@....edata.......p........w.............@..@.tls....`................................rdata..].............w.............@..@.reloc................w.............@..B.rsrc.....+..p....+.................@..@.............0.......:..............@..@................

                                                                      C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                                                                      Download File
                                                                      Process:C:\Windows\System32\svchost.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):8192
                                                                      Entropy (8bit):0.363788168458258
                                                                      Encrypted:false
                                                                      SSDEEP:6:6xPoaaD0JOCEfMuaaD0JOCEfMKQmDNOxPoaaD0JOCEfMuaaD0JOCEfMKQmDN:1aaD0JcaaD0JwQQbaaD0JcaaD0JwQQ
                                                                      MD5:0E72F896C84F1457C62C0E20338FAC0D
                                                                      SHA1:9C071CC3D15E5BD8BF603391AE447202BD9F8537
                                                                      SHA-256:686DC879EA8690C42D3D5D10D0148AE7110FA4D8DCCBF957FB8E41EE3D4A42B3
                                                                      SHA-512:AAA5BE088708DABC2EC9A7A6632BDF5700BE719D3F72B732BD2DFD1A3CFDD5C8884BFA4951DB0C499AF423EC30B14A49A30FBB831D1B0A880FE10053043A4251
                                                                      Malicious:false
                                                                      Preview:*.>...........&.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................&.............................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                      Download File
                                                                      Process:C:\Windows\System32\svchost.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):1310720
                                                                      Entropy (8bit):1.310820402560299
                                                                      Encrypted:false
                                                                      SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvry:KooCEYhgYEL0In
                                                                      MD5:ADCAF32CA884E5E02C87BB8192A16184
                                                                      SHA1:59A70788B171B9CF3F470CD3E8D84B8027406A33
                                                                      SHA-256:981395A4F0C37EB9BA2B6351D3F3FF0A7337AA0BBB818A559F028B44AF17F553
                                                                      SHA-512:FD8EF6154B14CAECC48943049DDDB5E595044A7733CBA4172596DF1572287FB1CBC0C412C0653D51033FD77FFF2F2336216AC21D0556F04A066F80BB3140B207
                                                                      Malicious:false
                                                                      Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                      Download File
                                                                      Process:C:\Windows\System32\svchost.exe
                                                                      File Type:Extensible storage engine DataBase, version 0x620, checksum 0x97f73736, page size 16384, Windows version 10.0
                                                                      Category:dropped
                                                                      Size (bytes):1310720
                                                                      Entropy (8bit):0.42223889778651835
                                                                      Encrypted:false
                                                                      SSDEEP:1536:nSB2ESB2SSjlK/uedMrSU0OrsJzvqYkr3g16f2UPkLk+ku4/Iw4KKazAkUk1k2DO:nazag03A2UrzJDO
                                                                      MD5:712650B7F69FEEE3CD638AD2154D262B
                                                                      SHA1:38F439EE388E4C3A417B22EB8BADB8BB45C2E0D3
                                                                      SHA-256:E45E9ADA489F5FB34EF429EFB474EF13FE7C65430ADD89224749DD7A1EBFED52
                                                                      SHA-512:81E3D7A22CC2503C8198ADE173844F4DC07D6916E0023CA939B0DB39862AB3195EF5CA87FD878E1BCE828C16EBBDDCFB88DCBED7C479694A98BDA6B65528A67F
                                                                      Malicious:false
                                                                      Preview:..76... .......Y.......X\...;...{......................n.%..........|..7....|..h.#..........|..n.%.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{....................................)R.....|..................n..d.....|...........................#......n.%.....................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                      Download File
                                                                      Process:C:\Windows\System32\svchost.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):16384
                                                                      Entropy (8bit):0.07942319433619086
                                                                      Encrypted:false
                                                                      SSDEEP:3:cO0llOetYelPpZovpZa/m4ZRG6JrUa/AYZ/illOE/tlnl+/rTc:cXrzlP3ovpZaVZk6GaoYZepMP
                                                                      MD5:86250EB98E33FFE6E25B65DC6FB36AF6
                                                                      SHA1:51B4238F7834608BD1A0C86EACB38DF7743CD3EE
                                                                      SHA-256:9B1C12443B7FF833CAF2908BE6A36386A0959574391A2E2E39A35F479EC0A545
                                                                      SHA-512:F6CB454E1EE6462030DA44B54B0E39E1317219D24F2E9879210E2D94E549F832A159F52876E049B13B233FB84EAB63B3C90FA2443086F03F005B3FBB6AF1AE4E
                                                                      Malicious:false
                                                                      Preview:........................................;...{..7....|.......|...............|.......|..i..I.....|..................n..d.....|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Settings for LM-Server.lnk

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Thu Aug 22 18:41:10 2024, mtime=Wed Dec 25 13:17:59 2024, atime=Thu Aug 22 18:41:10 2024, length=7753808, window=hide
                                                                      Category:dropped
                                                                      Size (bytes):2167
                                                                      Entropy (8bit):3.9115109293741543
                                                                      Encrypted:false
                                                                      SSDEEP:48:882VndOOGZ7fZd5Y+d5YsP5qoZkmrSUp8JWqoZkmtw:88GG5a9O5qoZbcJWqoZbt
                                                                      MD5:D5F57D43923ED9F42FDBF946C1F108E8
                                                                      SHA1:6714D74A3375B2D4FC43CE74DE65FF06320C2742
                                                                      SHA-256:40609B814EE3D0DAB7E6F35B669E110DB0DB920F1083120A518B07F00B0C6BD9
                                                                      SHA-512:2208DD72E0B8A89A960A2C2AC9A247B3405496840E6E17C741C5B2CDF017AABB209DDC8F432BF742E746980F385119E0A158F4A1D2F8E784906783DF0259B114
                                                                      Malicious:false
                                                                      Preview:L..................F.@.. ......=....O....V.....=....PPv..........................P.O. .:i.....+00.../C:\.....................1......Y;r..PROGRA~2.........O.I.Y;r....................V.....C...P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....z.1......Y=r..LITEMA~1..b......Y;r.Y@r....J.........................L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.....h.2.PPv..Y%. .ROMSER~1.EXE..L.......Y%..Y@r....;.........................R.O.M.S.e.r.v.e.r...e.x.e.......l...............-.......k............|.z.....C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe..L.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.R.O.M.S.e.r.v.e.r...e.x.e.0.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.../.c.o.n.f.i.g.n.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.\

                                                                      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Start LM-Server.lnk

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
                                                                      Category:dropped
                                                                      Size (bytes):1890
                                                                      Entropy (8bit):3.1573107695942624
                                                                      Encrypted:false
                                                                      SSDEEP:48:8ddOEPLqd5Y+d5YcCP5q2DT2S0Wq2DTKX7:85LJ9cM5qUoWqUE
                                                                      MD5:5FC67E19699B3F0B2AB7B4B89B0B3F1A
                                                                      SHA1:6F6380DF2EB8C5D30452A846864F001A8B0E473A
                                                                      SHA-256:45451F933B472FA53301D46B7C072AF67E51EC60172E6E9C01E0B308DF78A2F4
                                                                      SHA-512:81C7A9F5683DB54893BD26A6EC1BCBDB17983037668CD996E03934E7708331594195DBF2CCE9EB2B0C0567A9E8B24DD629D40866D49E55C9DF77A864D15744E5
                                                                      Malicious:false
                                                                      Preview:L..................F.@...........................................................P.O. .:i.....+00.../C:\...................z.1...........Program Files (x86).X............................................P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)..."...1...........LiteManager Pro - Server..b............................................L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r...(.h.2...........ROMServer.exe.L............................................R.O.M.S.e.r.v.e.r...e.x.e.......L.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.R.O.M.S.e.r.v.e.r...e.x.e.0.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.../.s.t.a.r.t.n.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.\.R.O.M.S.e.r.v.e.r...e.x.e._.9.D.0.9.B.2.B.C.2.5.A.2.4.1.4.C.B.D.8.4.8.E.2.B.7.5.8.9.8.6.7.6...e.x.e.........%SystemRoot%\In

                                                                      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Stop LM-Server.lnk

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Thu Aug 22 18:41:10 2024, mtime=Wed Dec 25 13:17:58 2024, atime=Thu Aug 22 18:41:10 2024, length=7753808, window=hide
                                                                      Category:dropped
                                                                      Size (bytes):2159
                                                                      Entropy (8bit):3.8929359019311023
                                                                      Encrypted:false
                                                                      SSDEEP:48:8W2VndOOyqZE7fZd5Y+d5Ys5qcxFWT84SslWqcxFWT8cw:8WGyqZka9s5qcxYT8SWqcxYT8c
                                                                      MD5:EF1B278A3E909BA6FDF538EADF1E7CE6
                                                                      SHA1:C5588303D5E3E663B22D0BD20981833BB5CB5856
                                                                      SHA-256:2EE27F024225839D35AB6C3A941582D7D39C6484D0719D34515F9525CE91FADB
                                                                      SHA-512:C39E47A4C07182201EA18271AFA1A8E270BB59BC8B032DB108C8B74624DCF050563EE27ADB0A79241C6EDFF2B8077C0BDC4BCAF4E383240C776E67CE25D526D2
                                                                      Malicious:false
                                                                      Preview:L..................F.@.. ......=....~...V.....=....PPv..........................P.O. .:i.....+00.../C:\.....................1......Y;r..PROGRA~2.........O.I.Y;r....................V.....C...P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....z.1......Y=r..LITEMA~1..b......Y;r.Y=r....J.......................y.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.....h.2.PPv..Y%. .ROMSER~1.EXE..L.......Y%..Y=r....;.........................R.O.M.S.e.r.v.e.r...e.x.e.......l...............-.......k............|.z.....C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe..L.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.R.O.M.S.e.r.v.e.r...e.x.e.0.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.../.s.t.o.p.l.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.\.s.t

                                                                      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Uninstall LiteManager - Server.lnk

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=0, Archive, ctime=Sat Dec 7 08:10:02 2019, mtime=Wed Oct 4 09:56:56 2023, atime=Sat Dec 7 08:10:02 2019, length=59904, window=hide
                                                                      Category:dropped
                                                                      Size (bytes):1953
                                                                      Entropy (8bit):3.8717779563455585
                                                                      Encrypted:false
                                                                      SSDEEP:24:8WnJvqw/nbTABPwB+sHyjv/+MTyjvejIKZDUHwGS7ke4WTyjvejIKZDUHwwcfSyu:8WnNqGnb0B2HOn5qmjlt6ScWqmjltZR
                                                                      MD5:B26F240D4CFA0B6958EBD54409DCD4A4
                                                                      SHA1:763E0C9345915725F0E4BBF5059FDF52C2EB11DE
                                                                      SHA-256:B4F7B21D1A96BEEEA1956F7E6448D6DE889C08ED8FA35A1EC4CDEFA0E4DF3A5C
                                                                      SHA-512:A243DF0BF985046E1A632B63B2792856F4DBFC5C50A0562AD9431650F7FBBE6FB964A30E5DB72BD63D2D289BD6B1E88BDD3F717559CB4EE23C4057C2468DF44B
                                                                      Malicious:false
                                                                      Preview:L..................F.@.. ...25.....1>.~....25.............................A....P.O. .:i.....+00.../C:\...................V.1.....DWQ`..Windows.@......OwH.Y8r....3....................._.9.W.i.n.d.o.w.s.....Z.1......Y5r..SysWOW64..B......O.I.Y8r....Y.....................k...S.y.s.W.O.W.6.4.....b.2......OBI .msiexec.exe.H......OBIDW.V................|.............m.s.i.e.x.e.c...e.x.e.......N...............-.......M............|.z.....C:\Windows\SysWOW64\msiexec.exe........\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.m.s.i.e.x.e.c...e.x.e.)./.x. .{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.s.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.\.U.N.I.N.S.T._.U.n.i.n.s.t.a.l.l._.L._.7.8.A.A.5.B.6.6.6.2.5.1.4.D.9.4.A.8.4.7.D.6.C.6.0.3.A.F.0.8.9.5...e.x.e.........%SystemRoot%\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C6

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:ASCII text
                                                                      Category:dropped
                                                                      Size (bytes):292
                                                                      Entropy (8bit):5.297277075649904
                                                                      Encrypted:false
                                                                      SSDEEP:6:O49UDz4q2Pwkn2nKuAl9OmbnIFUt8h4CkJZmw+h4CkDkwOwkn2nKuAl9OmbjLJ:OVDz4vYfHAahFUt8hpkJ/+hpkD5JfHAR
                                                                      MD5:15C7CF7CF4E513D51D3864891C90ED11
                                                                      SHA1:0A546ED68D377195D2B3AC32FF4286F19C38F9FB
                                                                      SHA-256:A941DF46F102981DF8DC49DD7100979D31956C9BE56B31A0504B04E717DF969C
                                                                      SHA-512:A6704D56082BF759DA9A80E18B929F19614DEAF806299BF4AC063418BA55D0EEFFE773A91AEED7C4E37C0599F2C83C2560D3ADDFCCBD41078B9FE1A6C0297AEE
                                                                      Malicious:false
                                                                      Preview:2024/12/25-09:17:53.785 1f60 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/25-09:17:53.788 1f60 Recovering log #3.2024/12/25-09:17:53.788 1f60 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:ASCII text
                                                                      Category:dropped
                                                                      Size (bytes):292
                                                                      Entropy (8bit):5.297277075649904
                                                                      Encrypted:false
                                                                      SSDEEP:6:O49UDz4q2Pwkn2nKuAl9OmbnIFUt8h4CkJZmw+h4CkDkwOwkn2nKuAl9OmbjLJ:OVDz4vYfHAahFUt8hpkJ/+hpkD5JfHAR
                                                                      MD5:15C7CF7CF4E513D51D3864891C90ED11
                                                                      SHA1:0A546ED68D377195D2B3AC32FF4286F19C38F9FB
                                                                      SHA-256:A941DF46F102981DF8DC49DD7100979D31956C9BE56B31A0504B04E717DF969C
                                                                      SHA-512:A6704D56082BF759DA9A80E18B929F19614DEAF806299BF4AC063418BA55D0EEFFE773A91AEED7C4E37C0599F2C83C2560D3ADDFCCBD41078B9FE1A6C0297AEE
                                                                      Malicious:false
                                                                      Preview:2024/12/25-09:17:53.785 1f60 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/25-09:17:53.788 1f60 Recovering log #3.2024/12/25-09:17:53.788 1f60 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:ASCII text
                                                                      Category:dropped
                                                                      Size (bytes):336
                                                                      Entropy (8bit):5.241058079259695
                                                                      Encrypted:false
                                                                      SSDEEP:6:O4lqM+q2Pwkn2nKuAl9Ombzo2jMGIFUt8h4TZmw+h4eaDpMVkwOwkn2nKuAl9OmT:OEqM+vYfHAa8uFUt8hO/+hCMV5JfHAaU
                                                                      MD5:54F5B2EBE7817FBE9793222E5925E302
                                                                      SHA1:E3F279B66AFC236C2EA282BAD0E53D3D87D7A4D9
                                                                      SHA-256:B801B20977F5C29A7CB97C58F6998BF21D9095D55F69E65C1959F04ACADC77E9
                                                                      SHA-512:C5F833E3C795099C301C6CA1E004E984010B5728A4707DB11CDF5BF0B07ED002198BB7F25C8C0308C13D0849951448B4E3912563FE01C0A521F2DB1C715FD545
                                                                      Malicious:false
                                                                      Preview:2024/12/25-09:17:53.815 1ffc Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/25-09:17:53.817 1ffc Recovering log #3.2024/12/25-09:17:53.818 1ffc Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:ASCII text
                                                                      Category:dropped
                                                                      Size (bytes):336
                                                                      Entropy (8bit):5.241058079259695
                                                                      Encrypted:false
                                                                      SSDEEP:6:O4lqM+q2Pwkn2nKuAl9Ombzo2jMGIFUt8h4TZmw+h4eaDpMVkwOwkn2nKuAl9OmT:OEqM+vYfHAa8uFUt8hO/+hCMV5JfHAaU
                                                                      MD5:54F5B2EBE7817FBE9793222E5925E302
                                                                      SHA1:E3F279B66AFC236C2EA282BAD0E53D3D87D7A4D9
                                                                      SHA-256:B801B20977F5C29A7CB97C58F6998BF21D9095D55F69E65C1959F04ACADC77E9
                                                                      SHA-512:C5F833E3C795099C301C6CA1E004E984010B5728A4707DB11CDF5BF0B07ED002198BB7F25C8C0308C13D0849951448B4E3912563FE01C0A521F2DB1C715FD545
                                                                      Malicious:false
                                                                      Preview:2024/12/25-09:17:53.815 1ffc Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/25-09:17:53.817 1ffc Recovering log #3.2024/12/25-09:17:53.818 1ffc Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\1a16fa97-7588-4806-b1fc-8f5c3fc9bd6a.tmp

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):475
                                                                      Entropy (8bit):4.967403857886107
                                                                      Encrypted:false
                                                                      SSDEEP:12:YH/um3RA8sqLsBdOg2HHfcaq3QYiubInP7E4TX:Y2sRdsVdMHO3QYhbG7n7
                                                                      MD5:B7761633048D74E3C02F61AD04E00147
                                                                      SHA1:72A2D446DF757BAEA2C7A58C050925976E4C9372
                                                                      SHA-256:1A468796D744FCA806D1F828C07E0064AB6A1FA0E31DA3A403F12B9B89868B67
                                                                      SHA-512:397A10C510FAA048E4AAB08A11B2AE14A09EE47EC4F5A2B47CE1A9580C2874ADE0F9F8FC287B9358C0FFEA4C89F8AB9270B9CA00064EA90CD2EF0EAD0A59369F
                                                                      Malicious:false
                                                                      Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340980889952523","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146406},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\276d4aac-65f4-4159-83bd-c4d0e139f3a9.tmp

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:JSON data
                                                                      Category:modified
                                                                      Size (bytes):475
                                                                      Entropy (8bit):4.972348101139995
                                                                      Encrypted:false
                                                                      SSDEEP:12:YH/um3RA8sqD0hsBdOg2H9Lpcaq3QYiubInP7E4TX:Y2sRdsHydMHC3QYhbG7n7
                                                                      MD5:985518BBE2CB9734565E6CE7E18A692F
                                                                      SHA1:95D7B35E737946FBD8EBE8BCF5C0227FC410E849
                                                                      SHA-256:E641685B005BFB591965710FBE7685E6E78E39F444980B19605A2B5E97D6D452
                                                                      SHA-512:B07AE6C282B145E48403BD8DDF570C6609F8C5DF88BE7BE0FF90EEE2D4B5198401FD6F108E5EE1994D317A35D9EBABA2EB01E27CFEDEC4BE53C6E5138C8AE00C
                                                                      Malicious:false
                                                                      Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13379696282511656","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":630600},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):475
                                                                      Entropy (8bit):4.967403857886107
                                                                      Encrypted:false
                                                                      SSDEEP:12:YH/um3RA8sqLsBdOg2HHfcaq3QYiubInP7E4TX:Y2sRdsVdMHO3QYhbG7n7
                                                                      MD5:B7761633048D74E3C02F61AD04E00147
                                                                      SHA1:72A2D446DF757BAEA2C7A58C050925976E4C9372
                                                                      SHA-256:1A468796D744FCA806D1F828C07E0064AB6A1FA0E31DA3A403F12B9B89868B67
                                                                      SHA-512:397A10C510FAA048E4AAB08A11B2AE14A09EE47EC4F5A2B47CE1A9580C2874ADE0F9F8FC287B9358C0FFEA4C89F8AB9270B9CA00064EA90CD2EF0EAD0A59369F
                                                                      Malicious:false
                                                                      Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340980889952523","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146406},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF689495.TMP (copy)

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):475
                                                                      Entropy (8bit):4.967403857886107
                                                                      Encrypted:false
                                                                      SSDEEP:12:YH/um3RA8sqLsBdOg2HHfcaq3QYiubInP7E4TX:Y2sRdsVdMHO3QYhbG7n7
                                                                      MD5:B7761633048D74E3C02F61AD04E00147
                                                                      SHA1:72A2D446DF757BAEA2C7A58C050925976E4C9372
                                                                      SHA-256:1A468796D744FCA806D1F828C07E0064AB6A1FA0E31DA3A403F12B9B89868B67
                                                                      SHA-512:397A10C510FAA048E4AAB08A11B2AE14A09EE47EC4F5A2B47CE1A9580C2874ADE0F9F8FC287B9358C0FFEA4C89F8AB9270B9CA00064EA90CD2EF0EAD0A59369F
                                                                      Malicious:false
                                                                      Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340980889952523","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146406},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):4320
                                                                      Entropy (8bit):5.254403141194097
                                                                      Encrypted:false
                                                                      SSDEEP:96:etJCV4FAsszrNamjTN/2rjYMta02fDtehgO7BtTgo7L8MpH:etJCV4FiN/jTN/2r8Mta02fEhgO73go/
                                                                      MD5:07F5DF032E1D00E8DCA6403034E69818
                                                                      SHA1:027E7878996A3511812EE534A009C221A45BED9F
                                                                      SHA-256:16D06F62B7F2299A9FCCD90BF59794AB52233F37D81A13B68063D71F9C166992
                                                                      SHA-512:068CF9C139C695143906A42F65116777D7F352266C8AA32AE1246D3A35DB8012E5304859AB2C6D8ED16A324AF9F363D3C98ADC658C45C8E4AB506DAD8F31A206
                                                                      Malicious:false
                                                                      Preview:*...#................version.1..namespace-['O.o................next-map-id.1.Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/.0>...r................next-map-id.2.Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/.1O..r................next-map-id.3.Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/.2.\.o................next-map-id.4.Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/.3....^...............Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/..|.^...............Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/n..Fa...............Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/DQ..a...............Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/i.`do................next-map-id.5.Pnamespace-de635bf2_6773_4d83_ad16_

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:ASCII text
                                                                      Category:dropped
                                                                      Size (bytes):324
                                                                      Entropy (8bit):5.241419209945517
                                                                      Encrypted:false
                                                                      SSDEEP:6:O42M+q2Pwkn2nKuAl9OmbzNMxIFUt8h4kZZmw+h4RBMVkwOwkn2nKuAl9OmbzNMT:OtM+vYfHAa8jFUt8h1/+hYMV5JfHAa8E
                                                                      MD5:08A17935D35E22F13160E86A58964E7D
                                                                      SHA1:80C35C12B1CE2120F366509D5092E5D624E69DBF
                                                                      SHA-256:F35B1344F4008D997E79826B572CB0E2791AC79C102BC202EB25F0B068D7FB02
                                                                      SHA-512:F9A9B69DFACF943A8447014AA348C77420F4698312AC9050CD0C42200E421FFC88475344EA4ADCE90B01A8B64FAC89AA892F16579E5B898BEFF0BCB08D5F28FA
                                                                      Malicious:false
                                                                      Preview:2024/12/25-09:17:53.938 1ffc Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/25-09:17:53.939 1ffc Recovering log #3.2024/12/25-09:17:53.940 1ffc Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:ASCII text
                                                                      Category:dropped
                                                                      Size (bytes):324
                                                                      Entropy (8bit):5.241419209945517
                                                                      Encrypted:false
                                                                      SSDEEP:6:O42M+q2Pwkn2nKuAl9OmbzNMxIFUt8h4kZZmw+h4RBMVkwOwkn2nKuAl9OmbzNMT:OtM+vYfHAa8jFUt8h1/+hYMV5JfHAa8E
                                                                      MD5:08A17935D35E22F13160E86A58964E7D
                                                                      SHA1:80C35C12B1CE2120F366509D5092E5D624E69DBF
                                                                      SHA-256:F35B1344F4008D997E79826B572CB0E2791AC79C102BC202EB25F0B068D7FB02
                                                                      SHA-512:F9A9B69DFACF943A8447014AA348C77420F4698312AC9050CD0C42200E421FFC88475344EA4ADCE90B01A8B64FAC89AA892F16579E5B898BEFF0BCB08D5F28FA
                                                                      Malicious:false
                                                                      Preview:2024/12/25-09:17:53.938 1ffc Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/25-09:17:53.939 1ffc Recovering log #3.2024/12/25-09:17:53.940 1ffc Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                      C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 15, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 15
                                                                      Category:dropped
                                                                      Size (bytes):86016
                                                                      Entropy (8bit):4.4450845456494745
                                                                      Encrypted:false
                                                                      SSDEEP:384:yezci5tAiBA7aDQPsknQ0UNCFOa14ocOUw6zyFzqFkdZ+EUTTcdUZ5yDQhJL:rXs3OazzU89UTTgUL
                                                                      MD5:4F920F42655298C4A0417904F729FD93
                                                                      SHA1:7A0586F94F4CC344577F4F37BA6E052793DC174B
                                                                      SHA-256:71FB5B2A3F9E441510C8AFA17BAC976026FF03B4B5514D137D3AA03164F74236
                                                                      SHA-512:92B5F92F3CCC132C21745E4760D89EE2C6162E8D06E7B5ED578FE14D9E72394D145A5B247C5BE814B773DDDB263FDB7A80052E3F4E8D5B9B9B5DDA311A2E19A4
                                                                      Malicious:false
                                                                      Preview:SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:SQLite Rollback Journal
                                                                      Category:dropped
                                                                      Size (bytes):8720
                                                                      Entropy (8bit):3.776323045932378
                                                                      Encrypted:false
                                                                      SSDEEP:48:7MYp/E2ioyV8ioy9oWoy1Cwoy1IKOioy1noy1AYoy1Wioy1hioybioyOoy1noy1z:7jpju8FLXKQ/Ub9IVXEBodRBkG
                                                                      MD5:2F644DB20119FA89BA7828B8075DD260
                                                                      SHA1:3E4C36A2F73B23E5061EA242D980969F88E3D149
                                                                      SHA-256:5BE21835A5DF46AA45B20239D3222AC0865515AABF074585C619C250912C4352
                                                                      SHA-512:23F118B0D9F2FAAC880096B8FF2E81C52F97F17B10916FAD61949E7057D617D15A797E7F5905D264B1697FE9E351A1AD9FD0B066A816BFD429AFFD98A1B209B0
                                                                      Malicious:false
                                                                      Preview:.... .c......].................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...[...b...r...t...}.....L..............................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:Certificate, Version=3
                                                                      Category:dropped
                                                                      Size (bytes):1391
                                                                      Entropy (8bit):7.705940075877404
                                                                      Encrypted:false
                                                                      SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                                                      MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                                                      SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                                                      SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                                                      SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                                                      Malicious:false
                                                                      Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                      Category:dropped
                                                                      Size (bytes):71954
                                                                      Entropy (8bit):7.996617769952133
                                                                      Encrypted:true
                                                                      SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                      MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                      SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                      SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                      SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                      Malicious:false
                                                                      Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):192
                                                                      Entropy (8bit):2.7895108629891827
                                                                      Encrypted:false
                                                                      SSDEEP:3:kkFkl3Puz+E/ltfllXlE/HT8kQ7llXNNX8RolJuRdxLlGB9lQRYwpDdt:kKjz+E/leT83zdNMa8RdWBwRd
                                                                      MD5:7E370E2030CC9CC82B6E4CD897BB80AA
                                                                      SHA1:6EF6D1404A3EFAAA413308CDD8F4B5AAA240E0F8
                                                                      SHA-256:2377F2710A14FD4549550A20923D7FD5B0CF875DC39D2B32DB10E7071485347E
                                                                      SHA-512:977E10CFA9034E156C705AC1A03BA5CCD7F9BA8DC67B217111E4FA0ECF2D9A8C4B35A3DD863614A817A22697ED2513A077B0E73794B9E3E8195FD48FE8619FC8
                                                                      Malicious:false
                                                                      Preview:p...... .........j$..V..(....................................................... ..........W....3...............o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):328
                                                                      Entropy (8bit):3.1391791584200512
                                                                      Encrypted:false
                                                                      SSDEEP:6:kKKSklL9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:CaDnLNkPlE99SNxAhUe/3
                                                                      MD5:BC7FF87976B08CD9993F6D1F46C46525
                                                                      SHA1:985C82B808C941D1B1204399C597048EF7CBFEAC
                                                                      SHA-256:D3B10DBD4F925A54F286B309DD585844C19CD7B5D699C5FCF3967A34A2058014
                                                                      SHA-512:184BE0A6A90E9900231D6BF8CA71246B88778793CB3DEC9ECAAFC1C8899BCC57E12BAA3038AD32A054A2E3A6E053C9360765DB5CB4B242858E43F563831F3EC3
                                                                      Malicious:false
                                                                      Preview:p...... ........l.U..V..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):295
                                                                      Entropy (8bit):5.37498520163792
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HXzW2ZNqHJNV9VoZcg1vRcR0YB1JYxoAvJM3g98kUwPeUkwRe9:YvXKXFzqHJN2Zc0v0JnGMbLUkee9
                                                                      MD5:955D083D3A3749BE235E2D2C4496A9A5
                                                                      SHA1:8B4F5B9F062413561998DBB90CF01820412F952F
                                                                      SHA-256:43D0E23D749E7FC6CE9E68226AAA3DA47ACEEE268534200ABC33253BB9069EBE
                                                                      SHA-512:E88F9F41999C61EC22FF1B9DFE0E239915E349D50F4ACAF441999F1DFC3DA85E36EEB058F0A64E706A08A6592D5419873BA02316F636709411D93139728BFAC1
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"ce512460-ade9-4ed5-8f16-b06d91fb6dd9","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1735312354915,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):294
                                                                      Entropy (8bit):5.323327848505493
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HXzW2ZNqHJNV9VoZcg1vRcR0YB1JYxoAvJfBoTfXpnrPeUkwRe9:YvXKXFzqHJN2Zc0v0JnGWTfXcUkee9
                                                                      MD5:8B196AE35071174CCE247E5E5C18744E
                                                                      SHA1:3133F1F47C558BD41A9FADDA55F31C96B5744E39
                                                                      SHA-256:D402D631727E0829F9707222AA739022FE75B3CC9A378B425AFD33817A78CDD8
                                                                      SHA-512:EEFD29C036A6B7414E93B57B4C1B62779CBDC2D9BF8AE06723374C4779B17E4398AA4BFD741830D50DDC729AAFD6EB534057DC6D1917ACB2FC9CB9428DB3FD72
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"ce512460-ade9-4ed5-8f16-b06d91fb6dd9","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1735312354915,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):294
                                                                      Entropy (8bit):5.302595642420163
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HXzW2ZNqHJNV9VoZcg1vRcR0YB1JYxoAvJfBD2G6UpnrPeUkwRe9:YvXKXFzqHJN2Zc0v0JnGR22cUkee9
                                                                      MD5:34D623D2E1A7073A607F449E47C457A0
                                                                      SHA1:7B91EA431F7DE84872596DE5482E01C578120296
                                                                      SHA-256:CF47EDEE22FDC61755845E0CF36F707C529093A544CE9ED5E55F4550A86B0953
                                                                      SHA-512:FB390F8119082DAA351AA5EAAA625C4B22896ED5FE99165C8CC911B5FCF69966E69C5F8CB54FE60DFA95719E15372EEC072B6EA847F81B9E3398AF02C03DE579
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"ce512460-ade9-4ed5-8f16-b06d91fb6dd9","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1735312354915,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):285
                                                                      Entropy (8bit):5.3624034908267895
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HXzW2ZNqHJNV9VoZcg1vRcR0YB1JYxoAvJfPmwrPeUkwRe9:YvXKXFzqHJN2Zc0v0JnGH56Ukee9
                                                                      MD5:C524716AC4016D8CBAD3E1AD9AFA09E9
                                                                      SHA1:3539A80F28A38099616E60CE3D3268268EC6556A
                                                                      SHA-256:1FD9E31E054A5AA73A8B5305CF9B7E5AFA465BB17ED318A34312D1D0DF730E81
                                                                      SHA-512:975229CFE3ECFB65BCA3F555A77117BAC1A6357623B5649033C0136DCA545C795C3EF47F373BF0B4D12A1401641EBE06E203B1847134C79D30532F1842A263FF
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"ce512460-ade9-4ed5-8f16-b06d91fb6dd9","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1735312354915,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):1123
                                                                      Entropy (8bit):5.6826803389621015
                                                                      Encrypted:false
                                                                      SSDEEP:24:Yv6X5qHJN2zvispLgE9cQx8LennAvzBvkn0RCmK8czOCCSz:YvGqHuashgy6SAFv5Ah8cv/z
                                                                      MD5:B59A7D35BC6D8C6DA41509243A59EBC1
                                                                      SHA1:D5D9481FE779CC0FFD2E690EF780F50C9C39AACA
                                                                      SHA-256:301514D153A9A8EEDB9968599622B8A0906E260618B49FD72CDABC0174B1DE48
                                                                      SHA-512:3C613D5A546B9E537000CA5424F89B89792C324CB8AF4044A4F8F5DAB44022BE29821071C2D8710E2EDAD977C4B2AD351E7DDF7F9DB5D90AEB66C6EE35E00C14
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"ce512460-ade9-4ed5-8f16-b06d91fb6dd9","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1735312354915,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):289
                                                                      Entropy (8bit):5.3056339236755035
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HXzW2ZNqHJNV9VoZcg1vRcR0YB1JYxoAvJf8dPeUkwRe9:YvXKXFzqHJN2Zc0v0JnGU8Ukee9
                                                                      MD5:B0F611320882D8F60C72448D0FE06F9D
                                                                      SHA1:9D0E992CB2ECCF8ABECB0E7F7879937B372ED26E
                                                                      SHA-256:09959D55638F341327ACD6C1A2174D0706FDC235677D9A665F96B32665D1ADFC
                                                                      SHA-512:8FBE46993FEA38D6E0AD8D003E279E98EFFB89EDCF53F3F25C2D9A9AD42DA7A6ED67E426A21937D27F37041BE67EE245E184FBA8D9866DF392D5D10ABB953B60
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"ce512460-ade9-4ed5-8f16-b06d91fb6dd9","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1735312354915,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):292
                                                                      Entropy (8bit):5.308893052412268
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HXzW2ZNqHJNV9VoZcg1vRcR0YB1JYxoAvJfQ1rPeUkwRe9:YvXKXFzqHJN2Zc0v0JnGY16Ukee9
                                                                      MD5:9CF5B7E049026922E6439791F883C38F
                                                                      SHA1:04731248897A3CF90BEBE996D7E7783968039692
                                                                      SHA-256:94F8C3B33FCAFB6B334EA673468464ECC2BCD1F64699836EC25A651FBE31BB0E
                                                                      SHA-512:DC25B99560005D7F71DAF0B15134E28DD934A180559EA950D41782C905E0F30ED8285AF3028DA9C7766D41280A696A9D0971BD51E2B23E982E068944C876ED4B
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"ce512460-ade9-4ed5-8f16-b06d91fb6dd9","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1735312354915,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):289
                                                                      Entropy (8bit):5.312259840247327
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HXzW2ZNqHJNV9VoZcg1vRcR0YB1JYxoAvJfFldPeUkwRe9:YvXKXFzqHJN2Zc0v0JnGz8Ukee9
                                                                      MD5:3D4FCC0936E3C68443CB97545B80D01D
                                                                      SHA1:C2D8D1862BABDFC629C32CBE8DD175CF6FBC3A2E
                                                                      SHA-256:73DE0BC06D95B778BC4D338B0CF6FAC30DB1AAB7910DC223EE8793772AC46C8D
                                                                      SHA-512:CD00B6C986ACD136561EDD34C1CB030E4AF98E14DBE7593C7121284133B2B30D625657F40979BB8B8B39CC6AF987415C06B5B783591240B288E8BAD4ABD22392
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"ce512460-ade9-4ed5-8f16-b06d91fb6dd9","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1735312354915,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):295
                                                                      Entropy (8bit):5.330564617888576
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HXzW2ZNqHJNV9VoZcg1vRcR0YB1JYxoAvJfzdPeUkwRe9:YvXKXFzqHJN2Zc0v0JnGb8Ukee9
                                                                      MD5:9AD2FD0739728BC5F67956F3693F36BF
                                                                      SHA1:3F32B969F645954EDCBC45E6CE0CDA94E15D0208
                                                                      SHA-256:35BBEDB4E556FCE8A7FB036BC7AD8F9AA4FCC8591481DF3505E974C033C98A27
                                                                      SHA-512:758521911E2F96FA41CA1CB951623F208E96F8EA096200444309663572AB78F2230C4931E870520D90CE0D3600F33FA815BD81918F7A585A2DBF115749C5D693
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"ce512460-ade9-4ed5-8f16-b06d91fb6dd9","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1735312354915,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):289
                                                                      Entropy (8bit):5.311147089237939
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HXzW2ZNqHJNV9VoZcg1vRcR0YB1JYxoAvJfYdPeUkwRe9:YvXKXFzqHJN2Zc0v0JnGg8Ukee9
                                                                      MD5:258803A0B0A18DA2A6FC8B2227C45209
                                                                      SHA1:14FB5D59CB17FFF0A2C6E66558044F1109204873
                                                                      SHA-256:F20B3091FA7DC6ED1DB4665BC4EAE62C2E69AB7490472BB044B57860EC92B4D6
                                                                      SHA-512:FC1AD2E6C7B05F46EE22C744F1C4290A410F63B03FAD2F0639AEB9C45AD93CEA7E0291C4CDF6E9522802A871C04B8A95F619BDF8C9842E0688BD5AF77807C968
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"ce512460-ade9-4ed5-8f16-b06d91fb6dd9","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1735312354915,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):284
                                                                      Entropy (8bit):5.297975067252363
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HXzW2ZNqHJNV9VoZcg1vRcR0YB1JYxoAvJf+dPeUkwRe9:YvXKXFzqHJN2Zc0v0JnG28Ukee9
                                                                      MD5:74BE2D320D4496811B07ECBF1C9E27DA
                                                                      SHA1:CEABB779B6D27A6AA1803BECB69CF78AE8D4136F
                                                                      SHA-256:80F036433483D9347A93A95C694D18DEED4BE753D1FB2596BFDC15C18ADEB162
                                                                      SHA-512:2D8F3260E85408A82B6924D83C62FFD79C298EFD4BE7E921E7DFF875236EF69538753AA84EA29B103E977179567C1BF352825D259048DA94AE3158A0C3F7274D
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"ce512460-ade9-4ed5-8f16-b06d91fb6dd9","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1735312354915,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):291
                                                                      Entropy (8bit):5.294617574614634
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HXzW2ZNqHJNV9VoZcg1vRcR0YB1JYxoAvJfbPtdPeUkwRe9:YvXKXFzqHJN2Zc0v0JnGDV8Ukee9
                                                                      MD5:1C1F1DA46C9C51558F00ED801575C69A
                                                                      SHA1:971F932E8A720D5074BE253A28B82D706F1D6368
                                                                      SHA-256:BF3D0CB9DA697345195A72576FBD4D3C88A26C87F4DA83C8EB44F60FC9E95CA8
                                                                      SHA-512:B428C46DA3C712C7396EB79754773BA2EB14C4D44F5B4632CF1BFBBDC097D0ADCCA1AC654AC6A2165BEC184CA818DFEC49DC16721798B3E9F5C3FAB812BF02D1
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"ce512460-ade9-4ed5-8f16-b06d91fb6dd9","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1735312354915,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):287
                                                                      Entropy (8bit):5.299108939001311
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HXzW2ZNqHJNV9VoZcg1vRcR0YB1JYxoAvJf21rPeUkwRe9:YvXKXFzqHJN2Zc0v0JnG+16Ukee9
                                                                      MD5:F3A70AD68229D073B6F4B5956E02750C
                                                                      SHA1:A25DE6E38F2896D56E2BEB2052684295F62568DB
                                                                      SHA-256:010293DFB54CD43A9C2F92B17F44449F427B9F5568548B20A6E0F1A19C1D721E
                                                                      SHA-512:85BE05F5EDF9D78D619B81C1D1211EA031DF421344DFE2D712660D612D6CB9CE2AC2728DC0500971A831C65A1A2AFA09FC7172A1DE15A8DF087CBFA13CEB9062
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"ce512460-ade9-4ed5-8f16-b06d91fb6dd9","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1735312354915,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):1090
                                                                      Entropy (8bit):5.658964280083354
                                                                      Encrypted:false
                                                                      SSDEEP:24:Yv6X5qHJN2zviYamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSz:YvGqHuaeBgkDMUJUAh8cvMz
                                                                      MD5:BAC96BBB0489A936A01882362A0C6D5F
                                                                      SHA1:7011D32138EF9BC7C93E57CBFE380AFC22E96D12
                                                                      SHA-256:A3194DA05B1F4BFE2B21901187CDCEE0231A8077991573F6E3E5E743F9F991F1
                                                                      SHA-512:DA65745E01D25406E696012EE40319A08B1425E1A3425AFF1CBA305EFC4650FB0250DBAA73F90FA17C1CF28BD50BA83609213488A9D0A62B85D7A460C03F189E
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"ce512460-ade9-4ed5-8f16-b06d91fb6dd9","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1735312354915,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):286
                                                                      Entropy (8bit):5.273184334442483
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HXzW2ZNqHJNV9VoZcg1vRcR0YB1JYxoAvJfshHHrPeUkwRe9:YvXKXFzqHJN2Zc0v0JnGUUUkee9
                                                                      MD5:F62791FC839671F8177B4C825BB3A3B4
                                                                      SHA1:03E3EE00BB03CDE5D7278C521FD90F520C640864
                                                                      SHA-256:78102288AA6B1FC611A9B4AF0C99ABA3442C5734148368D8CD65FF99950BE567
                                                                      SHA-512:A23DBA096478A1B26D0351D20C7D2F39F5A32A941148B43E397F43067B93E0E36A6AD780443674C616CF72389F920A84A75C820B2D95DBCAE274C3604C32D71A
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"ce512460-ade9-4ed5-8f16-b06d91fb6dd9","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1735312354915,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):282
                                                                      Entropy (8bit):5.288041010955499
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HXzW2ZNqHJNV9VoZcg1vRcR0YB1JYxoAvJTqgFCrPeUkwRe9:YvXKXFzqHJN2Zc0v0JnGTq16Ukee9
                                                                      MD5:6B5311F0D203BD22E8716B914F5339C6
                                                                      SHA1:A3AF75E1CF0A4E2AB34D5D500A7A82FA6784A21A
                                                                      SHA-256:0C3B734683387A61F33039A612D01A9426FC82BC0B9342DF142CB8C40E44DCC8
                                                                      SHA-512:869700C84D27CD175C05EDCC1B77F4BD6CFFFF17C014062A29D048A229C5833F839763D1DEFF84713D15F90B15878F0536DBC98375AB80F3E48D1CB49F5F785C
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"ce512460-ade9-4ed5-8f16-b06d91fb6dd9","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1735312354915,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):4
                                                                      Entropy (8bit):0.8112781244591328
                                                                      Encrypted:false
                                                                      SSDEEP:3:e:e
                                                                      MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                                                      SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                                                      SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                                                      SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                                                      Malicious:false
                                                                      Preview:....

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):2814
                                                                      Entropy (8bit):5.139111679020927
                                                                      Encrypted:false
                                                                      SSDEEP:24:Y0xfha4HWayVV4EnX99/yBlDUPj/j0S5tSFgZ2LTD2LSbCGTCcEiHKq5+Vh9GuGj:Y0qKu3/y8L7SFAKTD1lCcEiHj2h9+
                                                                      MD5:2617664E85F5CDDB91D966C1BCFB00C2
                                                                      SHA1:24D5F84F5864E18EA77D77A60A2303C40AE85294
                                                                      SHA-256:732B139138C6C5DA22611DE0511DE107E212A5F1E6389BBA63705416B9D23577
                                                                      SHA-512:947458EE80BE5EFDFB9DB92EEBD39BCC510ABC9C133BB930EAC1C5594D580FDA25013460E93FD0B330D23408EC442E3AEBB300E9A17A0C530FBA6F4DE32259AA
                                                                      Malicious:false
                                                                      Preview:{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"e1eb4a4f51870eee8bf09cda17f0006a","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1735136284000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"e49bacefde005d6a78960c3c5ae934b2","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1735136284000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"374a6ccd5717226e1f49a414321f47cb","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1735136284000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"2c7abb5e92fea44293b2b16934fd7946","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1735136284000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"2ea932172e1104f585ee2f37a12f107f","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1735136284000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"0b2c0ca14d049d2a9da90d7b035e7af2","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
                                                                      Category:dropped
                                                                      Size (bytes):12288
                                                                      Entropy (8bit):1.1864697069856829
                                                                      Encrypted:false
                                                                      SSDEEP:48:TGufl2GL7msEHUUUUUUUU0SvR9H9vxFGiDIAEkGVvpG:lNVmswUUUUUUUU0+FGSIta
                                                                      MD5:DAF48492FB44450173E1DF5EB4D1EA69
                                                                      SHA1:C87DFA11429D6BA3E649C36371033228AAF8CCF9
                                                                      SHA-256:33606D0F4E99E8CEAE23226BF01464B301F939B346A4832939582BEEA4440954
                                                                      SHA-512:4899395DDF5AFB744317B7A020826911110DED6B1FE9B223C42A7367A9E79B8C71DD5D9E9BC27CFB20148AE16A15469807E8F0619613F03A9EA59F7F9888FB48
                                                                      Malicious:false
                                                                      Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:SQLite Rollback Journal
                                                                      Category:dropped
                                                                      Size (bytes):8720
                                                                      Entropy (8bit):1.6051568109538437
                                                                      Encrypted:false
                                                                      SSDEEP:48:7MYKUUUUUUUUUUWvR9H9vxFGiDIAEkGVvYqFl2GL7mse:74UUUUUUUUUUaFGSIteKVmse
                                                                      MD5:9ADF1544CD7350DD6DDCB36028779880
                                                                      SHA1:1DFB556A676D329B5467A75D372C3CC8F1B13D54
                                                                      SHA-256:EE97F05735917F66C3A51F47D9504D046248EAA6C58842498FCE81044C95293A
                                                                      SHA-512:E5D9EBD108088735BBDF8CD49157AB4C46355112E0F9A8E82D2E3E0750BCBFA781DC377CC053D923302023C87243D1B10BFDCA32B59705352DFB1AFC799FAB4C
                                                                      Malicious:false
                                                                      Preview:.... .c......$~~......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................f.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):66726
                                                                      Entropy (8bit):5.392739213842091
                                                                      Encrypted:false
                                                                      SSDEEP:768:RNOpblrU6TBH44ADKZEgDNErfI15MAV8GUtnLLgk2hRYyu:6a6TZ44ADEDyrfI15JV8yRK
                                                                      MD5:8FBE4CAE54C6F5E581EACAD8DF8F688F
                                                                      SHA1:7538A1124197F5CA553090B26000AF2D317CF964
                                                                      SHA-256:01B589D3226F72DB8BA75774CB980CEC721E74851E8E3233E6C17191EE85A00D
                                                                      SHA-512:C09F23D215612F404B8927787A23506EC38E796748B36B655B1DEA27665522D2C9BCB062A87D9DCBDA5D3453444AD9D77DD81736EB6484314F355D1978E533FE
                                                                      Malicious:false
                                                                      Preview:4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

                                                                      C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-25 09-17-55-971.log

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:ASCII text, with very long lines (393)
                                                                      Category:dropped
                                                                      Size (bytes):16525
                                                                      Entropy (8bit):5.345946398610936
                                                                      Encrypted:false
                                                                      SSDEEP:384:zHIq8qrq0qoq/qUILImCIrImI9IWdFdDdoPtPTPtP7ygyAydy0yGV///X/J/VokV:nNW
                                                                      MD5:8947C10F5AB6CFFFAE64BCA79B5A0BE3
                                                                      SHA1:70F87EEB71BA1BE43D2ABAB7563F94C73AB5F778
                                                                      SHA-256:4F3449101521DA7DF6B58A2C856592E1359BA8BD1ACD0688ECF4292BA5388485
                                                                      SHA-512:B76DB9EF3AE758F00CAF0C1705105C875838C7801F7265B17396466EECDA4BCD915DA4611155C5F2AD1C82A800C1BEC855E52E2203421815F915B77AA7331CA0
                                                                      Malicious:false
                                                                      Preview:SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:088+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig:

                                                                      C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:ASCII text, with very long lines (393), with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):15114
                                                                      Entropy (8bit):5.370831016789047
                                                                      Encrypted:false
                                                                      SSDEEP:384:Jg0Zll8USIHXiICduhIv5IZBaBEdRttA2F6Gsk0XdRxLqaZLXuxu7W+QKRpxxnW/:FIuD
                                                                      MD5:58080CCCC22AE0742917002B5E8D8B6D
                                                                      SHA1:11BBA1A464251F76DA0B969EDBAA14D85E619AA3
                                                                      SHA-256:E7A226186F3AF122C9F64E699C9F72B6E3D9980D38B4DF486B79A74C3A53C4E5
                                                                      SHA-512:2CDE73A2E46929A571D26CE7211F19B3238850CD9A28ACEF50F2FEF837BA096A25CE0E4B16D3BC416FC143A961A9A0D793E00E5E7D4F62C46B9F1B429C3925E2
                                                                      Malicious:false
                                                                      Preview:SessionID=419d898b-4e29-499d-8bee-93fb104546cb.1735136276023 Timestamp=2024-12-25T09:17:56:023-0500 ThreadID=8072 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=419d898b-4e29-499d-8bee-93fb104546cb.1735136276023 Timestamp=2024-12-25T09:17:56:024-0500 ThreadID=8072 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=419d898b-4e29-499d-8bee-93fb104546cb.1735136276023 Timestamp=2024-12-25T09:17:56:024-0500 ThreadID=8072 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=419d898b-4e29-499d-8bee-93fb104546cb.1735136276023 Timestamp=2024-12-25T09:17:56:024-0500 ThreadID=8072 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=419d898b-4e29-499d-8bee-93fb104546cb.1735136276023 Timestamp=2024-12-25T09:17:56:025-0500 ThreadID=8072 Component=ngl-lib_NglAppLib Description="SetConf

                                                                      C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):29752
                                                                      Entropy (8bit):5.396988175382458
                                                                      Encrypted:false
                                                                      SSDEEP:768:anddBuBYZwcfCnwZCnR8Bu5hx18HoCnLlAY+iCBuzhLCnx1CnPrRRFS10l8gT2rD:v
                                                                      MD5:CFAA5782905D78F8C7C81209AF6DBD71
                                                                      SHA1:C5DF6718D567FF4986A46FF6B56C1E5234610B07
                                                                      SHA-256:7A5B44BF7E8B52D997912EBF6269AD67E2968D3018FDB4181384969A9B0F8FFD
                                                                      SHA-512:8A987B8E322CC1CC477A788890C5B9EA879090AA329D2EF40F0D3559964487D5DE14E2272954FF5469C2F078A463683EC0B683EB1379D327B349D7FAD6BDC3F0
                                                                      Malicious:false
                                                                      Preview:03-10-2023 12:50:40:.---2---..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ***************************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ***************************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Starting NGL..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..03-10-2023 12:50:40:.Closing File..03-10-

                                                                      C:\Users\user\AppData\Local\Temp\acrocef_low\5114ee66-15b3-4d93-b3f2-5380c1c8fbb1.tmp

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                                                                      Category:dropped
                                                                      Size (bytes):758601
                                                                      Entropy (8bit):7.98639316555857
                                                                      Encrypted:false
                                                                      SSDEEP:12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
                                                                      MD5:3A49135134665364308390AC398006F1
                                                                      SHA1:28EF4CE5690BF8A9E048AF7D30688120DAC6F126
                                                                      SHA-256:D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
                                                                      SHA-512:BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
                                                                      Malicious:false
                                                                      Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

                                                                      C:\Users\user\AppData\Local\Temp\acrocef_low\58610d33-5cd2-4bae-a8c1-bafdc85009c1.tmp

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
                                                                      Category:dropped
                                                                      Size (bytes):1407294
                                                                      Entropy (8bit):7.97605879016224
                                                                      Encrypted:false
                                                                      SSDEEP:24576:/xA7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07/WLaGZDwYIGNPJe:JVB3mlind9i4ufFXpAXkrfUs0jWLaGZo
                                                                      MD5:A0CFC77914D9BFBDD8BC1B1154A7B364
                                                                      SHA1:54962BFDF3797C95DC2A4C8B29E873743811AD30
                                                                      SHA-256:81E45F94FE27B1D7D61DBC0DAFC005A1816D238D594B443BF4F0EE3241FB9685
                                                                      SHA-512:74A8F6D96E004B8AFB4B635C0150355CEF5D7127972EA90683900B60560AA9C7F8DE780D1D5A4A944AF92B63C69F80DCDE09249AB99696932F1955F9EED443BE
                                                                      Malicious:false
                                                                      Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                      C:\Users\user\AppData\Local\Temp\acrocef_low\678a997e-4184-4e23-9629-88d073f1c131.tmp

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                                                                      Category:dropped
                                                                      Size (bytes):386528
                                                                      Entropy (8bit):7.9736851559892425
                                                                      Encrypted:false
                                                                      SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                                                                      MD5:5C48B0AD2FEF800949466AE872E1F1E2
                                                                      SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                                                                      SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                                                                      SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                                                                      Malicious:false
                                                                      Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

                                                                      C:\Users\user\AppData\Local\Temp\acrocef_low\f4cc0aac-6786-4ac9-ab04-da6064132365.tmp

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
                                                                      Category:dropped
                                                                      Size (bytes):1419751
                                                                      Entropy (8bit):7.976496077007677
                                                                      Encrypted:false
                                                                      SSDEEP:24576:/rwYIGNP4mOWL07oBGZ1dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:TwZG6bWLxBGZN3mlind9i4ufFXpAXkru
                                                                      MD5:95F182500FC92778102336D2D5AADCC8
                                                                      SHA1:BEC510B6B3D595833AF46B04C5843B95D2A0A6C9
                                                                      SHA-256:9F9C041D7EE1DA404E53022D475B9E6D5924A17C08D5FDEC58C0A1DCDCC4D4C9
                                                                      SHA-512:D7C022459486D124CC6CDACEAD8D46E16EDC472F4780A27C29D98B35AD01A9BA95F62155433264CC12C32BFF384C7ECAFCE0AC45853326CBC622AE65EE0D90BA
                                                                      Malicious:false
                                                                      Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                      C:\Users\user\AppData\Local\Temp\doc.pdf

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\0442.pdf.exe
                                                                      File Type:PDF document, version 1.7, 6 pages
                                                                      Category:dropped
                                                                      Size (bytes):85137
                                                                      Entropy (8bit):7.7513343990244366
                                                                      Encrypted:false
                                                                      SSDEEP:1536:eyetDLuxUTpyWbzUGW7EmvP95imdqYKq6i97idLfnk:eyetMk1tCPfimdsq6ididL8
                                                                      MD5:17A9D7D59ED8076A38B9E48533A01A10
                                                                      SHA1:1EC63D0BECCCBCE15277A3C227E787131C1E8F74
                                                                      SHA-256:631C4D8C4D0DE76F18712484358E532BE32F2FA2F92D7FAB026406C346ACBCDA
                                                                      SHA-512:E3C8AD153864482AC0BDE7445DAFFF1DAC9DCBC48D83C99169388C2EEE832EDDB02B4A2553F60D81E93674F76880544F4C10F05098830E7931518D14DF1DCFED
                                                                      Malicious:false
                                                                      Preview:%PDF-1.7..%......1 0 obj..<</Type/Catalog/Pages 2 0 R/Lang(ru) /StructTreeRoot 37 0 R/MarkInfo<</Marked true>>/Metadata 351 0 R/ViewerPreferences 352 0 R>>..endobj..2 0 obj..<</Type/Pages/Count 6/Kids[ 3 0 R 26 0 R 28 0 R 30 0 R 32 0 R 34 0 R] >>..endobj..3 0 obj..<</Type/Page/Parent 2 0 R/Resources<</Font<</F1 5 0 R/F2 12 0 R/F3 14 0 R/F4 19 0 R/F5 24 0 R>>/ExtGState<</GS10 10 0 R/GS11 11 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 595.32 841.92] /Contents 4 0 R/Group<</Type/Group/S/Transparency/CS/DeviceRGB>>/Tabs/S/StructParents 0>>..endobj..4 0 obj..<</Filter/FlateDecode/Length 1237>>..stream..x..Ko.6.....w.1)`...C.....Z4...r.z.!..F....J...).+.`.k...>....o4....._........V..<>.7_..>.=.T.6....h3...A.e+..U`...o_..O?.......{P....m..>m..`5..g......{w.F=......!L.w.....6.iLK.._..O.]...a.S..F...I....~.x.nL......}.;J|..>....d..L.....=...QB[.4p^[..t.dB...!.=.......v...]h.0F.......C....5&B....Yoz.n....c[W<........'. .1.9?...m.).hG.)!Zm...:..K(I.d...\..s..%.

                                                                      C:\Users\user\AppData\Local\Temp\doc2.pdf

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\0442.pdf.exe
                                                                      File Type:PDF document, version 1.7, 6 pages
                                                                      Category:dropped
                                                                      Size (bytes):85137
                                                                      Entropy (8bit):7.7513343990244366
                                                                      Encrypted:false
                                                                      SSDEEP:1536:eyetDLuxUTpyWbzUGW7EmvP95imdqYKq6i97idLfnk:eyetMk1tCPfimdsq6ididL8
                                                                      MD5:17A9D7D59ED8076A38B9E48533A01A10
                                                                      SHA1:1EC63D0BECCCBCE15277A3C227E787131C1E8F74
                                                                      SHA-256:631C4D8C4D0DE76F18712484358E532BE32F2FA2F92D7FAB026406C346ACBCDA
                                                                      SHA-512:E3C8AD153864482AC0BDE7445DAFFF1DAC9DCBC48D83C99169388C2EEE832EDDB02B4A2553F60D81E93674F76880544F4C10F05098830E7931518D14DF1DCFED
                                                                      Malicious:false
                                                                      Preview:%PDF-1.7..%......1 0 obj..<</Type/Catalog/Pages 2 0 R/Lang(ru) /StructTreeRoot 37 0 R/MarkInfo<</Marked true>>/Metadata 351 0 R/ViewerPreferences 352 0 R>>..endobj..2 0 obj..<</Type/Pages/Count 6/Kids[ 3 0 R 26 0 R 28 0 R 30 0 R 32 0 R 34 0 R] >>..endobj..3 0 obj..<</Type/Page/Parent 2 0 R/Resources<</Font<</F1 5 0 R/F2 12 0 R/F3 14 0 R/F4 19 0 R/F5 24 0 R>>/ExtGState<</GS10 10 0 R/GS11 11 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 595.32 841.92] /Contents 4 0 R/Group<</Type/Group/S/Transparency/CS/DeviceRGB>>/Tabs/S/StructParents 0>>..endobj..4 0 obj..<</Filter/FlateDecode/Length 1237>>..stream..x..Ko.6.....w.1)`...C.....Z4...r.z.!..F....J...).+.`.k...>....o4....._........V..<>.7_..>.=.T.6....h3...A.e+..U`...o_..O?.......{P....m..>m..`5..g......{w.F=......!L.w.....6.iLK.._..O.]...a.S..F...I....~.x.nL......}.;J|..>....d..L.....=...QB[.4p^[..t.dB...!.=.......v...]h.0F.......C....5&B....Yoz.n....c[W<........'. .1.9?...m.).hG.)!Zm...:..K(I.d...\..s..%.

                                                                      C:\Users\user\AppData\Local\Temp\ms.msi

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\0442.pdf.exe
                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: LiteManager - Server 5.0 installation package, Comments: This installer contains the logic and data to install LiteManager Pro - Server 5.0, Keywords: Installer,MSI,Database, Subject: LiteManager Pro - Server, Author: LiteManagerTeam, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Last Saved Time/Date: Thu Aug 22 15:43:08 2024, Create Time/Date: Thu Aug 22 15:43:08 2024, Last Printed: Thu Aug 22 15:43:08 2024, Revision Number: {9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}, Code page: 0, Template: Intel;0,1033,1049
                                                                      Category:dropped
                                                                      Size (bytes):11553792
                                                                      Entropy (8bit):7.938196666665725
                                                                      Encrypted:false
                                                                      SSDEEP:196608:cJg0ov2gTGOk/J1yr/A9ODMlWyFISx8/191nYHiT88o8En03yEoH8WkJDFa:CRJoLA9OIlWy58/19J+iYNPEoHg0
                                                                      MD5:B02F581793BE146506FACC3C6AEEBC32
                                                                      SHA1:DB1CB3BD3744C77E6E3253CF4480E177A358669A
                                                                      SHA-256:1666B1C2AE1AF47B252ABBC69C80281F81A7EA979F1D784FADC19ED6FEEC59F0
                                                                      SHA-512:8113F897F5936F6393746635D2BEDCEB410DBD1F825DF28C65D96EC3390509755E63E01C5311EC0A78B2FF48579D634C5D77CED80FBA01B68D2E9A08223B8E0A
                                                                      Malicious:false
                                                                      Preview:......................>...................................8........6..................}.................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........<................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...@...M...:...;...=...........?...N...A...B...C...D...E...F...G...H...I...J...O...L...N...D.......P...Q...R...S...T...Z...V...W...X...Y....X..[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                      C:\Users\user\AppData\Local\Temp\start.bat

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\0442.pdf.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):130
                                                                      Entropy (8bit):4.924404357134264
                                                                      Encrypted:false
                                                                      SSDEEP:3:mKDb2nppLJTXZkRErG+fyM1K/RFofD6ANntch9wQn:hb4ZGaH1MUmy2Nn
                                                                      MD5:AA3AAB4A5BCA1D06B08C6F5D6362A5D0
                                                                      SHA1:486D423A2B689CC119CE95DFCDC018C7B552FA24
                                                                      SHA-256:A0A569883E851B4B965088F9ED9F9FBA80803B47AC6E6DD4B07DF60435184CD4
                                                                      SHA-512:2B5F84DFB399F313D11A8BFA2F3F3338CF69711D5C7B6D86E7F876C8B64DB3A664D1E3E4A4A4B0066A6949DE4E64CBA416A40BE56461556F9216EE82DE23D913
                                                                      Malicious:false
                                                                      Preview:@echo of..ping 8.8.8.8..cls..del "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\*.*" /q..cls..exit

                                                                      C:\Windows\Installer\675fde.msi

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: LiteManager - Server 5.0 installation package, Comments: This installer contains the logic and data to install LiteManager Pro - Server 5.0, Keywords: Installer,MSI,Database, Subject: LiteManager Pro - Server, Author: LiteManagerTeam, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Last Saved Time/Date: Thu Aug 22 15:43:08 2024, Create Time/Date: Thu Aug 22 15:43:08 2024, Last Printed: Thu Aug 22 15:43:08 2024, Revision Number: {9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}, Code page: 0, Template: Intel;0,1033,1049
                                                                      Category:dropped
                                                                      Size (bytes):11553792
                                                                      Entropy (8bit):7.938196666665725
                                                                      Encrypted:false
                                                                      SSDEEP:196608:cJg0ov2gTGOk/J1yr/A9ODMlWyFISx8/191nYHiT88o8En03yEoH8WkJDFa:CRJoLA9OIlWy58/19J+iYNPEoHg0
                                                                      MD5:B02F581793BE146506FACC3C6AEEBC32
                                                                      SHA1:DB1CB3BD3744C77E6E3253CF4480E177A358669A
                                                                      SHA-256:1666B1C2AE1AF47B252ABBC69C80281F81A7EA979F1D784FADC19ED6FEEC59F0
                                                                      SHA-512:8113F897F5936F6393746635D2BEDCEB410DBD1F825DF28C65D96EC3390509755E63E01C5311EC0A78B2FF48579D634C5D77CED80FBA01B68D2E9A08223B8E0A
                                                                      Malicious:false
                                                                      Preview:......................>...................................8........6..................}.................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........<................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...@...M...:...;...=...........?...N...A...B...C...D...E...F...G...H...I...J...O...L...N...D.......P...Q...R...S...T...Z...V...W...X...Y....X..[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                      C:\Windows\Installer\675fe1.msi

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: LiteManager - Server 5.0 installation package, Comments: This installer contains the logic and data to install LiteManager Pro - Server 5.0, Keywords: Installer,MSI,Database, Subject: LiteManager Pro - Server, Author: LiteManagerTeam, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Last Saved Time/Date: Thu Aug 22 15:43:08 2024, Create Time/Date: Thu Aug 22 15:43:08 2024, Last Printed: Thu Aug 22 15:43:08 2024, Revision Number: {9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}, Code page: 0, Template: Intel;0,1033,1049
                                                                      Category:dropped
                                                                      Size (bytes):11553792
                                                                      Entropy (8bit):7.938196666665725
                                                                      Encrypted:false
                                                                      SSDEEP:196608:cJg0ov2gTGOk/J1yr/A9ODMlWyFISx8/191nYHiT88o8En03yEoH8WkJDFa:CRJoLA9OIlWy58/19J+iYNPEoHg0
                                                                      MD5:B02F581793BE146506FACC3C6AEEBC32
                                                                      SHA1:DB1CB3BD3744C77E6E3253CF4480E177A358669A
                                                                      SHA-256:1666B1C2AE1AF47B252ABBC69C80281F81A7EA979F1D784FADC19ED6FEEC59F0
                                                                      SHA-512:8113F897F5936F6393746635D2BEDCEB410DBD1F825DF28C65D96EC3390509755E63E01C5311EC0A78B2FF48579D634C5D77CED80FBA01B68D2E9A08223B8E0A
                                                                      Malicious:false
                                                                      Preview:......................>...................................8........6..................}.................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........<................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...@...M...:...;...=...........?...N...A...B...C...D...E...F...G...H...I...J...O...L...N...D.......P...Q...R...S...T...Z...V...W...X...Y....X..[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                      C:\Windows\Installer\MSI6694.tmp

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):292991
                                                                      Entropy (8bit):4.840173256491118
                                                                      Encrypted:false
                                                                      SSDEEP:3072:ghoy2KjcC2jcmFDX/vjcJGUjcmFDX/rjcmFDX/dZ+cNbynfe:ghoy25DXmNDXLDXX+cNbynfe
                                                                      MD5:57A2D1DC232E07904588CC6311B7DE27
                                                                      SHA1:33108C40A5FB9C483FC09D1B9D96BFA3B89453F4
                                                                      SHA-256:9E379EF011A43B7D9D1368FE5B1D894A5012913BD9507A479B9EE21968F0B298
                                                                      SHA-512:E55715FB91DC1D84DCFBC6F06B8543DD40D120FECAA663F63D6DD069491C860E242F68B789958B840F0A7653CE53BA9B23FE40AFC23A694B1ACB99A18775E105
                                                                      Malicious:false
                                                                      Preview:...@IXOS.@.....@;J.Y.@.....@.....@.....@.....@.....@......&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}..LiteManager Pro - Server..ms.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}.....@.....@.....@.....@.......@.....@.....@.......@......LiteManager Pro - Server......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{3244CDE6-6414-4399-B0D5-424562747210}0.C:\Program Files (x86)\LiteManager Pro - Server\.@.......@.....@.....@......&.{4D4D18AA-F74D-4291-B5A9-93C3CC48B75F}5.C:\Program Files (x86)\LiteManager Pro - Server\Lang\.@.......@.....@.....@......&.{641F154A-FEEF-4FA7-B5BF-414DB1DB8390}C.C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe.@.......@.....@.....@......&.{26EAB54E-4659-47E8-86F9-4CB74F7E03BE}0.C:\Program Files (x86)\LiteManager Pro - Server\.@.......@.....@.....@......&.{596F4636-5D51-49F

                                                                      C:\Windows\Installer\SourceHash{71FFA475-24D5-44FB-A51F-39B699E3D82C}

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                      Category:dropped
                                                                      Size (bytes):20480
                                                                      Entropy (8bit):1.160389187135861
                                                                      Encrypted:false
                                                                      SSDEEP:12:JSbX72Fj76AGiLIlHVRpBh/7777777777777777777777777vDHFfbe2vtJW4pOz:JkQI5V9dviGF
                                                                      MD5:7729ABA74203D8FA9CC126DDB7A57EE6
                                                                      SHA1:A3E320E3C82146D0122AA99818384A898EF21BDE
                                                                      SHA-256:901C176A630F703B13BFAAE26698E1920A5B78AA328544EFAC46A7C9EE639A72
                                                                      SHA-512:6744AEF66877B429DAB15FBC419A8F53043476A6DAFF2518978F9D85AF4AA6843ECA0DD789CA87150ADB99DA8C768CF9F3BCE2B7870417B7917915E4D177CFB1
                                                                      Malicious:false
                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                      Category:dropped
                                                                      Size (bytes):20480
                                                                      Entropy (8bit):1.7854295991793094
                                                                      Encrypted:false
                                                                      SSDEEP:48:G8Ph+uRc06WXJSFT5vR9cxS9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5YJo9ISB29I:Zh+1JFT2nm0WlfPuDqC0WlfIF/
                                                                      MD5:3AF45C20F2B40188B88AE48F9B91EF90
                                                                      SHA1:47705C6ABEE31E02FB411E89282B15B72F8FBC26
                                                                      SHA-256:D5BFCDE192A28E49A5481B04AC005F2F49A5451CA4B774F8789E13917EB4262F
                                                                      SHA-512:A6D6FF95F3FDEEFFB30BC4ADF4C85CEDEB0CA79D403B1A7F7647ED5DFCCD8BB5BC308FDE9A50F386EEECB92BD6AD0EE86FE840543DE43CF8B03BC12FA93A4E5F
                                                                      Malicious:false
                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exe

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):53248
                                                                      Entropy (8bit):4.351781833522881
                                                                      Encrypted:false
                                                                      SSDEEP:384:AvFMAyDNOdTdFCxfrwntajXjDWLi9Y+C5vy/Q1nDcZUNeLNek+vDFNe+TNy:+MAyYdTmPJbgqcnDcCNy
                                                                      MD5:CA680899D9330BEB85E6351E6DC0D27B
                                                                      SHA1:41E89E582F58FB2A4ED06FA3BF796A1DAAC5CB6C
                                                                      SHA-256:EAB5DC45781E92CD5CF953016757B1E6F2ED7A0B5A97CC0945B19A8FBC1A85F2
                                                                      SHA-512:3817BD6EC345F96631E6CBF6C8DD384ACB17D912B1EC69D959F3AA15C05226D5FE3B5E9807D42D0E63589AABCEADFBE8BD5F293D8069DF689D12498E05842286
                                                                      Malicious:false
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...................P....@.........................................................................4T..(........0...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc....0.......@..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exe

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):57344
                                                                      Entropy (8bit):4.774504587732323
                                                                      Encrypted:false
                                                                      SSDEEP:768:SMAyYdTmPJbgqcnDcZTw0gpEeO4tZZz+0pQTk/N0:S1U81cmpjDX/N0
                                                                      MD5:5EBCB54B76FBE24FFF9D3BD74E274234
                                                                      SHA1:6CD72F044F36B7A3A79B7D77AAE59F274A66CE95
                                                                      SHA-256:504AEB909BBA186D4298AA97DCD6A09CCDD42217AF1F6210BC5EBD23B3DFCCBF
                                                                      SHA-512:5FF61D724B77B6EDC67D33B0F1EE1C3CB01F2A03251D0BE83FF10A80A99DBA08E3A0E0F985DEED6358E467B2E9B6A837E894513D1B5E68AF253C0BBDD68539D0
                                                                      Malicious:false
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...................P....@.........................................................................4T..(.......xC...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc...xC.......P..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exe

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):49152
                                                                      Entropy (8bit):4.31126714354722
                                                                      Encrypted:false
                                                                      SSDEEP:384:EvFMAyDNOdTdFCxfrwntajXjDWLi9Y+C5vy/Q1nDcZMwQE3vGYksuektm6yysZc8:SMAyYdTmPJbgqcnDcmwQE/RkHRRNS
                                                                      MD5:6A4AFFF2CD33613166B37A0DAB99BD41
                                                                      SHA1:FBC0F1696213B459D099A5809D79CFC01253880F
                                                                      SHA-256:53C1AE4962663E82D3AAC7C4A6CBE3D53E05D6948ADAE6391A2748396ACF98FE
                                                                      SHA-512:7B61D32E4AD38BC21E86559BFFA49A334CCB6184E595CB43F2D60A2A77C86B31D07B1A9D1F8FBE69E9AAD7E096952D765404BEBC494E73BD992642EB6B82E3A7
                                                                      Malicious:false
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...p...............P....@.........................................................................4T..(........+...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc....+.......0..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exe

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):57344
                                                                      Entropy (8bit):4.774504587732323
                                                                      Encrypted:false
                                                                      SSDEEP:768:SMAyYdTmPJbgqcnDcZTw0gpEeO4tZZz+0pQTk/N0:S1U81cmpjDX/N0
                                                                      MD5:5EBCB54B76FBE24FFF9D3BD74E274234
                                                                      SHA1:6CD72F044F36B7A3A79B7D77AAE59F274A66CE95
                                                                      SHA-256:504AEB909BBA186D4298AA97DCD6A09CCDD42217AF1F6210BC5EBD23B3DFCCBF
                                                                      SHA-512:5FF61D724B77B6EDC67D33B0F1EE1C3CB01F2A03251D0BE83FF10A80A99DBA08E3A0E0F985DEED6358E467B2E9B6A837E894513D1B5E68AF253C0BBDD68539D0
                                                                      Malicious:false
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...................P....@.........................................................................4T..(.......xC...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc...xC.......P..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exe

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):57344
                                                                      Entropy (8bit):4.774504587732323
                                                                      Encrypted:false
                                                                      SSDEEP:768:SMAyYdTmPJbgqcnDcZTw0gpEeO4tZZz+0pQTk/N0:S1U81cmpjDX/N0
                                                                      MD5:5EBCB54B76FBE24FFF9D3BD74E274234
                                                                      SHA1:6CD72F044F36B7A3A79B7D77AAE59F274A66CE95
                                                                      SHA-256:504AEB909BBA186D4298AA97DCD6A09CCDD42217AF1F6210BC5EBD23B3DFCCBF
                                                                      SHA-512:5FF61D724B77B6EDC67D33B0F1EE1C3CB01F2A03251D0BE83FF10A80A99DBA08E3A0E0F985DEED6358E467B2E9B6A837E894513D1B5E68AF253C0BBDD68539D0
                                                                      Malicious:false
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...................P....@.........................................................................4T..(.......xC...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc...xC.......P..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):432221
                                                                      Entropy (8bit):5.375167557191022
                                                                      Encrypted:false
                                                                      SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgaux:zTtbmkExhMJCIpErM
                                                                      MD5:D18E7F647593113ADEB0D5BC2176E84B
                                                                      SHA1:5B1A5A6E1E5BDDA06D8D2F39182A1E30F376C563
                                                                      SHA-256:130D3D52A97BB0D68B2A5FF17E2B1BB9BA24600CDA082FAD8D32D7DD12AE8DEF
                                                                      SHA-512:9A00861D1128D06B7E06CBB39F4684743533FA9E9A81D4EB25AAE6C8E0997E6C43AA1211FF202CA7B909664C0BEDF9D57D238453598832E8CCF1C84D1881CE31
                                                                      Malicious:false
                                                                      Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                      C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                      Download File
                                                                      Process:C:\Windows\System32\svchost.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):55
                                                                      Entropy (8bit):4.306461250274409
                                                                      Encrypted:false
                                                                      SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                      MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                      SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                      SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                      SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                      Malicious:false
                                                                      Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                      C:\Windows\Temp\~DF01B22DBE96513524.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                      Category:dropped
                                                                      Size (bytes):20480
                                                                      Entropy (8bit):1.7854295991793094
                                                                      Encrypted:false
                                                                      SSDEEP:48:G8Ph+uRc06WXJSFT5vR9cxS9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5YJo9ISB29I:Zh+1JFT2nm0WlfPuDqC0WlfIF/
                                                                      MD5:3AF45C20F2B40188B88AE48F9B91EF90
                                                                      SHA1:47705C6ABEE31E02FB411E89282B15B72F8FBC26
                                                                      SHA-256:D5BFCDE192A28E49A5481B04AC005F2F49A5451CA4B774F8789E13917EB4262F
                                                                      SHA-512:A6D6FF95F3FDEEFFB30BC4ADF4C85CEDEB0CA79D403B1A7F7647ED5DFCCD8BB5BC308FDE9A50F386EEECB92BD6AD0EE86FE840543DE43CF8B03BC12FA93A4E5F
                                                                      Malicious:false
                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DF17DE007D8D7292CE.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):512
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3::
                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                      Malicious:false
                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DF281CC7BD9777D73E.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):512
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3::
                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                      Malicious:false
                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DF391BD5B2C1FE8CB1.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                      Category:dropped
                                                                      Size (bytes):20480
                                                                      Entropy (8bit):1.7854295991793094
                                                                      Encrypted:false
                                                                      SSDEEP:48:G8Ph+uRc06WXJSFT5vR9cxS9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5YJo9ISB29I:Zh+1JFT2nm0WlfPuDqC0WlfIF/
                                                                      MD5:3AF45C20F2B40188B88AE48F9B91EF90
                                                                      SHA1:47705C6ABEE31E02FB411E89282B15B72F8FBC26
                                                                      SHA-256:D5BFCDE192A28E49A5481B04AC005F2F49A5451CA4B774F8789E13917EB4262F
                                                                      SHA-512:A6D6FF95F3FDEEFFB30BC4ADF4C85CEDEB0CA79D403B1A7F7647ED5DFCCD8BB5BC308FDE9A50F386EEECB92BD6AD0EE86FE840543DE43CF8B03BC12FA93A4E5F
                                                                      Malicious:false
                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DF45A596A2E56EDEF0.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):512
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3::
                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                      Malicious:false
                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DF4FD5132D631A595A.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                      Category:dropped
                                                                      Size (bytes):32768
                                                                      Entropy (8bit):1.4145946496957054
                                                                      Encrypted:false
                                                                      SSDEEP:48:flWuDO+CFXJjT55qYR9cxS9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5YJo9ISB29l2:dWf7T3unm0WlfPuDqC0WlfIF/
                                                                      MD5:4A6FF06B0471F5935EE96E09398A766B
                                                                      SHA1:528A1DBEBB3E7718D8166883E29378EF34E3CD53
                                                                      SHA-256:C74B0FA1252E2E4625EA89DA3DCC080306FF76C131E81638D2E02C52C52BD88D
                                                                      SHA-512:8405E1519CC93BEA8782C8D58CA7C7E52372590F779ECDD8F3990A6EDBDE3F584760852D6B610C2915C63E3C41297B4DDF1FC4644315B020C3C698B9071B195B
                                                                      Malicious:false
                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DF539634D9F35A6A63.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                      Category:dropped
                                                                      Size (bytes):32768
                                                                      Entropy (8bit):1.4145946496957054
                                                                      Encrypted:false
                                                                      SSDEEP:48:flWuDO+CFXJjT55qYR9cxS9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5YJo9ISB29l2:dWf7T3unm0WlfPuDqC0WlfIF/
                                                                      MD5:4A6FF06B0471F5935EE96E09398A766B
                                                                      SHA1:528A1DBEBB3E7718D8166883E29378EF34E3CD53
                                                                      SHA-256:C74B0FA1252E2E4625EA89DA3DCC080306FF76C131E81638D2E02C52C52BD88D
                                                                      SHA-512:8405E1519CC93BEA8782C8D58CA7C7E52372590F779ECDD8F3990A6EDBDE3F584760852D6B610C2915C63E3C41297B4DDF1FC4644315B020C3C698B9071B195B
                                                                      Malicious:false
                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DF568C9AB389B9EBDA.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                      Category:dropped
                                                                      Size (bytes):32768
                                                                      Entropy (8bit):1.4145946496957054
                                                                      Encrypted:false
                                                                      SSDEEP:48:flWuDO+CFXJjT55qYR9cxS9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5YJo9ISB29l2:dWf7T3unm0WlfPuDqC0WlfIF/
                                                                      MD5:4A6FF06B0471F5935EE96E09398A766B
                                                                      SHA1:528A1DBEBB3E7718D8166883E29378EF34E3CD53
                                                                      SHA-256:C74B0FA1252E2E4625EA89DA3DCC080306FF76C131E81638D2E02C52C52BD88D
                                                                      SHA-512:8405E1519CC93BEA8782C8D58CA7C7E52372590F779ECDD8F3990A6EDBDE3F584760852D6B610C2915C63E3C41297B4DDF1FC4644315B020C3C698B9071B195B
                                                                      Malicious:false
                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DF7A5000F498DA093E.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):73728
                                                                      Entropy (8bit):0.22109522704275247
                                                                      Encrypted:false
                                                                      SSDEEP:48:PHwmFSB29lOd5YpRXd5YNd5YGd5YMd5Yu9mSvOd5YpRXd5YNd5YGd5YMd5YP6AdG:PH5FqC0WlfVm0WlfPuk
                                                                      MD5:DEDE62310150853A30A1821A9C141B07
                                                                      SHA1:A5AC19EA6D5783CC8A14ECC8692374BF0A83C5A3
                                                                      SHA-256:42399FEEDBDEA09F83A8374ED45927D0B83083567C465D0721085164EE7C3C9F
                                                                      SHA-512:CF43AD556DC267664179A05178AF8EB4EE7D720C9F199B4337D9AC9E99FC14A5E07FF39BD2AD43424D1823CB53B331B49DD427124FFCD65E3082D75E24C30618
                                                                      Malicious:false
                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DFC16E31734763CC84.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):32768
                                                                      Entropy (8bit):0.06712149920142403
                                                                      Encrypted:false
                                                                      SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKO0AbuJ2vWEJWM1AVky6lO:2F0i8n0itFzDHFfbe2vtJWuO
                                                                      MD5:0E8B611CF5EFD5D7F4C345B5C4E1443E
                                                                      SHA1:88A30155409C7EF376FB080774D617FCD51EEB6B
                                                                      SHA-256:1DDAF54603271883C75BDB3FB0D5D7FA324500D3ECC46649D583F73FE82FBB4D
                                                                      SHA-512:6AF62D7F4423FD2635320D0E94D40F31502581BF4CE800729F8040E6A962D4E178DDA94B8C10499FAF03C37BF914598A14B1539FD2A18B83A90958235CA131EE
                                                                      Malicious:false
                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DFE7C538818459BF58.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):512
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3::
                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                      Malicious:false
                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DFEE8394AD7E27ABD1.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):512
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3::
                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                      Malicious:false
                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                      Entropy (8bit):7.988555676370944
                                                                      TrID:
                                                                      • Win64 Executable GUI (202006/5) 92.65%
                                                                      • Win64 Executable (generic) (12005/4) 5.51%
                                                                      • Generic Win/DOS Executable (2004/3) 0.92%
                                                                      • DOS Executable Generic (2002/1) 0.92%
                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                      File name:0442.pdf.exe
                                                                      File size:11'409'543 bytes
                                                                      MD5:4f6b2b9ee57c50d6c505d0cdada4803e
                                                                      SHA1:ad7dee6f1f71c4fe6299170a160592f139390e12
                                                                      SHA256:62410e8399acf7834c74012783bde3fe9ff244e048141c4a96a65bec06895f37
                                                                      SHA512:43607bd5bd78dea051340a684ad3311172adc590e5ffcd8a7c576e3f6ddba7e13750bab2a957b4d9fdec0d68b67d5391e779ee625006d00b82a65ecfc62525ce
                                                                      SSDEEP:196608:rqwdhlYLDYm+q6yU4zpDKpuLkQ9aP8F5hidaKsv7kDXFd+bIYW2LJjIeTF:Nw3Yi6yU4zpDeuREkF5PlgP+0ijIeh
                                                                      TLSH:75B6334AF79008F8E0E6F67485778425E6723D4E1338A59F57A83A2B7E773118C36722
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$.2.`.\.`.\.`.\..y..h.\..y....\..y..m.\.....b.\...X.r.\..._.j.\...Y.Y.\.i...i.\.i...b.\.i...g.\.`.].C.\...Y.R.\...\.a.\.....a.\

                                                                      File Icon

                                                                      Icon Hash:0fd88dc89ea7861b

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x140032ee0
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x140000000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                      Time Stamp:0x66409723 [Sun May 12 10:17:07 2024 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:5
                                                                      OS Version Minor:2
                                                                      File Version Major:5
                                                                      File Version Minor:2
                                                                      Subsystem Version Major:5
                                                                      Subsystem Version Minor:2
                                                                      Import Hash:b1c5b1beabd90d9fdabd1df0779ea832

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      dec eax
                                                                      sub esp, 28h
                                                                      call 00007F26FCF57AC8h
                                                                      dec eax
                                                                      add esp, 28h
                                                                      jmp 00007F26FCF5745Fh
                                                                      int3
                                                                      int3
                                                                      dec eax
                                                                      mov eax, esp
                                                                      dec eax
                                                                      mov dword ptr [eax+08h], ebx
                                                                      dec eax
                                                                      mov dword ptr [eax+10h], ebp
                                                                      dec eax
                                                                      mov dword ptr [eax+18h], esi
                                                                      dec eax
                                                                      mov dword ptr [eax+20h], edi
                                                                      inc ecx
                                                                      push esi
                                                                      dec eax
                                                                      sub esp, 20h
                                                                      dec ebp
                                                                      mov edx, dword ptr [ecx+38h]
                                                                      dec eax
                                                                      mov esi, edx
                                                                      dec ebp
                                                                      mov esi, eax
                                                                      dec eax
                                                                      mov ebp, ecx
                                                                      dec ecx
                                                                      mov edx, ecx
                                                                      dec eax
                                                                      mov ecx, esi
                                                                      dec ecx
                                                                      mov edi, ecx
                                                                      inc ecx
                                                                      mov ebx, dword ptr [edx]
                                                                      dec eax
                                                                      shl ebx, 04h
                                                                      dec ecx
                                                                      add ebx, edx
                                                                      dec esp
                                                                      lea eax, dword ptr [ebx+04h]
                                                                      call 00007F26FCF568E3h
                                                                      mov eax, dword ptr [ebp+04h]
                                                                      and al, 66h
                                                                      neg al
                                                                      mov eax, 00000001h
                                                                      sbb edx, edx
                                                                      neg edx
                                                                      add edx, eax
                                                                      test dword ptr [ebx+04h], edx
                                                                      je 00007F26FCF575F3h
                                                                      dec esp
                                                                      mov ecx, edi
                                                                      dec ebp
                                                                      mov eax, esi
                                                                      dec eax
                                                                      mov edx, esi
                                                                      dec eax
                                                                      mov ecx, ebp
                                                                      call 00007F26FCF59607h
                                                                      dec eax
                                                                      mov ebx, dword ptr [esp+30h]
                                                                      dec eax
                                                                      mov ebp, dword ptr [esp+38h]
                                                                      dec eax
                                                                      mov esi, dword ptr [esp+40h]
                                                                      dec eax
                                                                      mov edi, dword ptr [esp+48h]
                                                                      dec eax
                                                                      add esp, 20h
                                                                      inc ecx
                                                                      pop esi
                                                                      ret
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      dec eax
                                                                      sub esp, 48h
                                                                      dec eax
                                                                      lea ecx, dword ptr [esp+20h]
                                                                      call 00007F26FCF45E73h
                                                                      dec eax
                                                                      lea edx, dword ptr [00025747h]
                                                                      dec eax
                                                                      lea ecx, dword ptr [esp+20h]
                                                                      call 00007F26FCF586C2h
                                                                      int3
                                                                      jmp 00007F26FCF5E8A4h
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      int3

                                                                      Rich Headers

                                                                      Programming Language:
                                                                      • [ C ] VS2008 SP1 build 30729
                                                                      • [IMP] VS2008 SP1 build 30729

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x597a00x34.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x597d40x50.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x700000x154f4.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x6a0000x306c.pdata
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x860000x970.reloc
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x536c00x54.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x537800x28.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x4b3f00x140.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x480000x508.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x588bc0x120.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x10000x4676e0x46800f06bb06e02377ae8b223122e53be35c2False0.5372340425531915data6.47079645411382IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                      .rdata0x480000x128c40x12a002de06d4a6920a6911e64ff20000ea72fFalse0.4499003775167785data5.273999097784603IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .data0x5b0000xe75c0x1a000dbdb901a7d477980097e42e511a94fbFalse0.28275240384615385data3.2571023907881185IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      .pdata0x6a0000x306c0x3200b0ce0f057741ad2a4ef4717079fa34e9False0.483359375data5.501810413666288IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .didat0x6e0000x3600x4001fcc7b1d7a02443319f8fcc2be4ca936False0.2578125data3.0459938492946015IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      _RDATA0x6f0000x15c0x2003f331ec50f09ba861beaf955b33712d5False0.408203125data3.3356393424384843IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .rsrc0x700000x154f40x15600830fe0401acd1728e669a91fa1858e36False0.2520559210526316data4.6583703321340835IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .reloc0x860000x9700xa0077a9ddfc47a5650d6eebbcc823e39532False0.52421875data5.336289720085303IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                      PNG0x705540xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                                                                      PNG0x7109c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                                                                      RT_ICON0x726480x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 60472 x 60472 px/m0.14468236129184905
                                                                      RT_DIALOG0x82e700x286dataEnglishUnited States0.5092879256965944
                                                                      RT_DIALOG0x830f80x13adataEnglishUnited States0.60828025477707
                                                                      RT_DIALOG0x832340xecdataEnglishUnited States0.6991525423728814
                                                                      RT_DIALOG0x833200x12edataEnglishUnited States0.5927152317880795
                                                                      RT_DIALOG0x834500x338dataEnglishUnited States0.45145631067961167
                                                                      RT_DIALOG0x837880x252dataEnglishUnited States0.5757575757575758
                                                                      RT_STRING0x839dc0x1e2dataEnglishUnited States0.3900414937759336
                                                                      RT_STRING0x83bc00x1ccdataEnglishUnited States0.4282608695652174
                                                                      RT_STRING0x83d8c0x1b8dataEnglishUnited States0.45681818181818185
                                                                      RT_STRING0x83f440x146dataEnglishUnited States0.5153374233128835
                                                                      RT_STRING0x8408c0x46cdataEnglishUnited States0.3454063604240283
                                                                      RT_STRING0x844f80x166dataEnglishUnited States0.49162011173184356
                                                                      RT_STRING0x846600x152dataEnglishUnited States0.5059171597633136
                                                                      RT_STRING0x847b40x10adataEnglishUnited States0.49624060150375937
                                                                      RT_STRING0x848c00xbcdataEnglishUnited States0.6329787234042553
                                                                      RT_STRING0x8497c0x1c0dataEnglishUnited States0.5178571428571429
                                                                      RT_STRING0x84b3c0x250dataEnglishUnited States0.44256756756756754
                                                                      RT_GROUP_ICON0x84d8c0x14data1.15
                                                                      RT_MANIFEST0x84da00x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.39786666666666665

                                                                      Imports

                                                                      DLLImport
                                                                      KERNEL32.dllLocalFree, GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, GlobalMemoryStatusEx, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindNextFileA, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, WaitForSingleObjectEx, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlPcToFileHeader, RtlUnwindEx, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, HeapReAlloc, LCMapStringW, FindFirstFileExA
                                                                      OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                                                      gdiplus.dllGdipCloneImage, GdipFree, GdipDisposeImage, GdipCreateBitmapFromStream, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipAlloc

                                                                      Possible Origin

                                                                      Language of compilation systemCountry where language is spokenMap
                                                                      EnglishUnited States

                                                                      Network Behavior

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Dec 25, 2024 15:19:06.920768976 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:06.934134007 CET4979780192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:06.955125093 CET497988080192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:07.040307045 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:07.041426897 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:07.053591013 CET8049797101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:07.056729078 CET4979780192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:07.056948900 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:07.056967020 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:07.072685003 CET4979780192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:07.072702885 CET4979780192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:07.074604988 CET808049798101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:07.074661970 CET497988080192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:07.088037014 CET497988080192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:07.088047981 CET497988080192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:07.176476955 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:07.176635981 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:07.192290068 CET8049797101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:07.192307949 CET8049797101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:07.207639933 CET808049798101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:07.207751036 CET808049798101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:08.578593969 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:08.581995010 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:08.581995010 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:08.581995010 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:08.581995010 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:08.701704025 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:08.701714039 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:08.701721907 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:08.701730967 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:09.495721102 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:09.541109085 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:09.645742893 CET8049797101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:09.645802021 CET4979780192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:09.645860910 CET4979780192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:09.659758091 CET808049798101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:09.659815073 CET497988080192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:09.659852982 CET497988080192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:09.765438080 CET8049797101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:09.779836893 CET808049798101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:10.510844946 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:10.556956053 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:11.517754078 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:11.572586060 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:12.529310942 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:12.572371006 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:13.533680916 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:13.588073015 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:14.544060946 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:14.587990999 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:15.549145937 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:15.603698969 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:16.564587116 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:16.619262934 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:17.575560093 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:17.620232105 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:18.577439070 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:18.619254112 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:19.593060970 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:19.634896040 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:20.596522093 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:20.650495052 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:21.605573893 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:21.650584936 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:22.619308949 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:22.666276932 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:23.626682997 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:23.681792974 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:24.640824080 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:24.697382927 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:25.656789064 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:25.713255882 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:26.659885883 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:26.713016033 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:27.671876907 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:27.713095903 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:28.674236059 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:28.728638887 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:29.684833050 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:29.728662014 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:30.693203926 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:30.744301081 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:31.705435038 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:31.760135889 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:32.720879078 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:32.775522947 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:33.738069057 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:33.791167021 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:34.751682043 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:34.806771994 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:35.768925905 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:35.822415113 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:36.768850088 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:36.822417974 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:37.785299063 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:37.838130951 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:38.801425934 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:38.853785038 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:39.805129051 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:39.853708029 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:40.820816994 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:40.869304895 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:41.828681946 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:41.869311094 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:42.840951920 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:42.885036945 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:43.850033998 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:43.900579929 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:44.865190983 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:44.916184902 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:45.881397009 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:45.931837082 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:46.882805109 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:46.931821108 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:47.898336887 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:47.947442055 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:48.920522928 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:48.963084936 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:49.930217028 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:49.978713036 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:50.930820942 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:50.978708029 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:51.940610886 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:51.994333982 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:52.948999882 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:52.994357109 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:53.963340044 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:54.009951115 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:54.978641033 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:55.025589943 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:55.994407892 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:56.041213036 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:57.009879112 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:57.056843042 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:58.013906002 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:58.056866884 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:19:59.018045902 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:19:59.072665930 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:00.033715963 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:00.088088989 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:01.033737898 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:01.088145971 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:02.041532040 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:02.088108063 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:03.056952000 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:03.103992939 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:04.072701931 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:04.119363070 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:05.091375113 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:05.135041952 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:06.104381084 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:06.150616884 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:06.919121027 CET4993280192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:06.946986914 CET499338080192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:07.039208889 CET8049932101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:07.039494038 CET4993280192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:07.056998014 CET4993280192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:07.057013988 CET4993280192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:07.066626072 CET808049933101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:07.066917896 CET499338080192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:07.080259085 CET499338080192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:07.080270052 CET499338080192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:07.144094944 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:07.177315950 CET8049932101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:07.177361012 CET8049932101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:07.197494984 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:07.203052998 CET808049933101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:07.203083992 CET808049933101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:08.135210037 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:08.181865931 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:09.134885073 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:09.181977987 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:09.631125927 CET8049932101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:09.635356903 CET4993280192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:09.635544062 CET4993280192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:09.658351898 CET808049933101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:09.658488989 CET499338080192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:09.658646107 CET499338080192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:09.755065918 CET8049932101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:09.778192043 CET808049933101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:10.151740074 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:10.197498083 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:11.165924072 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:11.213206053 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:12.203087091 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:12.244371891 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:13.181973934 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:13.228768110 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:14.197659969 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:14.244551897 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:15.212843895 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:15.259998083 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:16.229521036 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:16.275645018 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:17.244019985 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:17.291244030 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:18.260327101 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:18.306904078 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:19.268430948 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:19.322546959 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:20.284727097 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:20.338246107 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:21.300977945 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:21.353785992 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:22.301737070 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:22.353786945 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:23.302803040 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:23.353878975 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:24.318523884 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:24.369412899 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:25.333872080 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:25.385209084 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:26.350375891 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:26.400680065 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:27.413506031 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:27.463258028 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:28.382006884 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:28.431898117 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:29.396682978 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:29.447750092 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:30.412107944 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:30.466821909 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:31.428072929 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:31.478923082 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:32.446366072 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:32.494412899 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:33.459460020 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:33.510051012 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:34.486742020 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:34.541292906 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:35.490000963 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:35.541304111 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:36.490552902 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:36.541318893 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:37.506342888 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:37.556922913 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:38.521626949 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:38.572655916 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:39.537583113 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:39.588444948 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:40.552777052 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:40.604980946 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:41.569416046 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:41.619441986 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:42.584244013 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:42.635065079 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:43.599801064 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:43.650729895 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:44.615621090 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:44.666332006 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:45.631401062 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:45.681957006 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:46.646765947 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:46.697571993 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:47.662430048 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:47.713280916 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:48.678975105 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:48.728864908 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:49.693727016 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:49.744452953 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:50.709373951 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:50.760087013 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:51.724971056 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:51.775748968 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:52.740974903 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:52.791341066 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:53.756454945 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:53.806974888 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:54.788439035 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:54.838202953 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:55.780993938 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:55.822627068 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:56.803252935 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:56.853869915 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:57.818536043 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:57.869471073 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:58.834177971 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:58.885273933 CET497965651192.168.2.4101.99.91.150
                                                                      Dec 25, 2024 15:20:59.850004911 CET565149796101.99.91.150192.168.2.4
                                                                      Dec 25, 2024 15:20:59.900749922 CET497965651192.168.2.4101.99.91.150

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Dec 25, 2024 15:18:03.620717049 CET6341653192.168.2.41.1.1.1

                                                                      ICMP Packets

                                                                      TimestampSource IPDest IPChecksumCodeType
                                                                      Dec 25, 2024 15:17:52.482693911 CET192.168.2.48.8.8.84d5aEcho
                                                                      Dec 25, 2024 15:17:52.605284929 CET8.8.8.8192.168.2.4555aEcho Reply
                                                                      Dec 25, 2024 15:17:53.619966030 CET192.168.2.48.8.8.84d59Echo
                                                                      Dec 25, 2024 15:17:53.742434025 CET8.8.8.8192.168.2.45559Echo Reply
                                                                      Dec 25, 2024 15:17:54.704425097 CET192.168.2.48.8.8.84d58Echo
                                                                      Dec 25, 2024 15:17:54.826749086 CET8.8.8.8192.168.2.45558Echo Reply
                                                                      Dec 25, 2024 15:17:55.801295042 CET192.168.2.48.8.8.84d57Echo
                                                                      Dec 25, 2024 15:17:55.923522949 CET8.8.8.8192.168.2.45557Echo Reply

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Dec 25, 2024 15:18:03.620717049 CET192.168.2.41.1.1.10x9eecStandard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Dec 25, 2024 15:18:03.841295004 CET1.1.1.1192.168.2.40x9eecNo error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                      Dec 25, 2024 15:18:36.227472067 CET1.1.1.1192.168.2.40x6da8No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                      Dec 25, 2024 15:18:36.227472067 CET1.1.1.1192.168.2.40x6da8No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.449797101.99.91.150808764C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Dec 25, 2024 15:19:07.072685003 CET6OUTData Raw: 00 00 00 01
                                                                      Data Ascii:
                                                                      Dec 25, 2024 15:19:07.072702885 CET6OUTData Raw: 00 00 00 03
                                                                      Data Ascii:


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      1192.168.2.449932101.99.91.150808764C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Dec 25, 2024 15:20:07.056998014 CET6OUTData Raw: 00 00 00 01
                                                                      Data Ascii:
                                                                      Dec 25, 2024 15:20:07.057013988 CET6OUTData Raw: 00 00 00 03
                                                                      Data Ascii:


                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:09:17:50
                                                                      Start date:25/12/2024
                                                                      Path:C:\Users\user\Desktop\0442.pdf.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Users\user\Desktop\0442.pdf.exe"
                                                                      Imagebase:0x7ff6414e0000
                                                                      File size:11'409'543 bytes
                                                                      MD5 hash:4F6B2B9EE57C50D6C505D0CDADA4803E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:1
                                                                      Start time:09:17:51
                                                                      Start date:25/12/2024
                                                                      Path:C:\Windows\System32\msiexec.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ms.msi" /qn
                                                                      Imagebase:0x7ff771210000
                                                                      File size:69'632 bytes
                                                                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:2
                                                                      Start time:09:17:51
                                                                      Start date:25/12/2024
                                                                      Path:C:\Windows\System32\cmd.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\start.bat" "
                                                                      Imagebase:0x7ff6dfbe0000
                                                                      File size:289'792 bytes
                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:3
                                                                      Start time:09:17:51
                                                                      Start date:25/12/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff7699e0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:4
                                                                      Start time:09:17:51
                                                                      Start date:25/12/2024
                                                                      Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\doc.pdf"
                                                                      Imagebase:0x7ff6bc1b0000
                                                                      File size:5'641'176 bytes
                                                                      MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:5
                                                                      Start time:09:17:51
                                                                      Start date:25/12/2024
                                                                      Path:C:\Windows\System32\msiexec.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\msiexec.exe /V
                                                                      Imagebase:0x7ff771210000
                                                                      File size:69'632 bytes
                                                                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:6
                                                                      Start time:09:17:51
                                                                      Start date:25/12/2024
                                                                      Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\doc2.pdf"
                                                                      Imagebase:0x7ff6bc1b0000
                                                                      File size:5'641'176 bytes
                                                                      MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:7
                                                                      Start time:09:17:51
                                                                      Start date:25/12/2024
                                                                      Path:C:\Windows\System32\PING.EXE
                                                                      Wow64 process (32bit):false
                                                                      Commandline:ping 8.8.8.8
                                                                      Imagebase:0x7ff7353b0000
                                                                      File size:22'528 bytes
                                                                      MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:8
                                                                      Start time:09:17:53
                                                                      Start date:25/12/2024
                                                                      Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                                                                      Imagebase:0x7ff74bb60000
                                                                      File size:3'581'912 bytes
                                                                      MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:9
                                                                      Start time:09:17:53
                                                                      Start date:25/12/2024
                                                                      Path:C:\Windows\System32\svchost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                      Imagebase:0x7ff6eef20000
                                                                      File size:55'320 bytes
                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:10
                                                                      Start time:09:17:53
                                                                      Start date:25/12/2024
                                                                      Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2108 --field-trial-handle=1720,i,4460427527233058691,5362964774260238234,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                                                                      Imagebase:0x7ff74bb60000
                                                                      File size:3'581'912 bytes
                                                                      MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:11
                                                                      Start time:09:17:59
                                                                      Start date:25/12/2024
                                                                      Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /siex /silentinstall
                                                                      Imagebase:0x400000
                                                                      File size:6'307'408 bytes
                                                                      MD5 hash:63D0964168B927D00064AA684E79A300
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000B.00000000.1806255889.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe, Author: Joe Security
                                                                      Antivirus matches:
                                                                      • Detection: 3%, ReversingLabs
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:12
                                                                      Start time:09:18:00
                                                                      Start date:25/12/2024
                                                                      Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall
                                                                      Imagebase:0x400000
                                                                      File size:7'753'808 bytes
                                                                      MD5 hash:F3D74B072B9697CF64B0B8445FDC8128
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000C.00000000.1812231802.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe, Author: Joe Security
                                                                      Antivirus matches:
                                                                      • Detection: 8%, ReversingLabs
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:14
                                                                      Start time:09:18:02
                                                                      Start date:25/12/2024
                                                                      Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /firewall
                                                                      Imagebase:0x400000
                                                                      File size:6'307'408 bytes
                                                                      MD5 hash:63D0964168B927D00064AA684E79A300
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:15
                                                                      Start time:09:18:02
                                                                      Start date:25/12/2024
                                                                      Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall
                                                                      Imagebase:0x400000
                                                                      File size:7'753'808 bytes
                                                                      MD5 hash:F3D74B072B9697CF64B0B8445FDC8128
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:16
                                                                      Start time:09:18:04
                                                                      Start date:25/12/2024
                                                                      Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /start
                                                                      Imagebase:0x400000
                                                                      File size:6'307'408 bytes
                                                                      MD5 hash:63D0964168B927D00064AA684E79A300
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:17
                                                                      Start time:09:18:04
                                                                      Start date:25/12/2024
                                                                      Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start
                                                                      Imagebase:0x400000
                                                                      File size:7'753'808 bytes
                                                                      MD5 hash:F3D74B072B9697CF64B0B8445FDC8128
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:18
                                                                      Start time:09:18:04
                                                                      Start date:25/12/2024
                                                                      Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe"
                                                                      Imagebase:0x400000
                                                                      File size:7'753'808 bytes
                                                                      MD5 hash:F3D74B072B9697CF64B0B8445FDC8128
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:20
                                                                      Start time:09:18:07
                                                                      Start date:25/12/2024
                                                                      Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe"
                                                                      Imagebase:0x400000
                                                                      File size:6'307'408 bytes
                                                                      MD5 hash:63D0964168B927D00064AA684E79A300
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:21
                                                                      Start time:09:18:07
                                                                      Start date:25/12/2024
                                                                      Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                                                                      Imagebase:0x400000
                                                                      File size:6'307'408 bytes
                                                                      MD5 hash:63D0964168B927D00064AA684E79A300
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:Borland Delphi
                                                                      Has exited:false

                                                                      Disassembly

                                                                      Reset < >

                                                                        Execution Graph

                                                                        Execution Coverage:11.6%
                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                        Signature Coverage:27.5%
                                                                        Total number of Nodes:2000
                                                                        Total number of Limit Nodes:28
                                                                        execution_graph 26839 7ff64150b190 27182 7ff6414e255c 26839->27182 26841 7ff64150b1db 26842 7ff64150b1ef 26841->26842 26843 7ff64150be93 26841->26843 26993 7ff64150b20c 26841->26993 26847 7ff64150b2db 26842->26847 26848 7ff64150b1ff 26842->26848 26842->26993 27448 7ff64150f390 26843->27448 26846 7ff641512320 _handle_error 8 API calls 26851 7ff64150c350 26846->26851 26854 7ff64150b391 26847->26854 26859 7ff64150b2f5 26847->26859 26852 7ff64150b207 26848->26852 26853 7ff64150b2a9 26848->26853 26849 7ff64150bec9 26856 7ff64150bef0 GetDlgItem SendMessageW 26849->26856 26857 7ff64150bed5 SendDlgItemMessageW 26849->26857 26850 7ff64150beba SendMessageW 26850->26849 26862 7ff6414faae0 48 API calls 26852->26862 26852->26993 26858 7ff64150b2cb EndDialog 26853->26858 26853->26993 27190 7ff6414e22bc GetDlgItem 26854->27190 26861 7ff6414f62dc 35 API calls 26856->26861 26857->26856 26858->26993 26863 7ff6414faae0 48 API calls 26859->26863 26865 7ff64150bf47 GetDlgItem 26861->26865 26866 7ff64150b236 26862->26866 26867 7ff64150b313 SetDlgItemTextW 26863->26867 26864 7ff64150b3b1 EndDialog 26880 7ff64150b3da 26864->26880 27467 7ff6414e2520 26865->27467 27471 7ff6414e1ec4 34 API calls _handle_error 26866->27471 26871 7ff64150b326 26867->26871 26870 7ff64150b408 GetDlgItem 26874 7ff64150b44f SetFocus 26870->26874 26875 7ff64150b422 SendMessageW SendMessageW 26870->26875 26876 7ff64150b340 GetMessageW 26871->26876 26871->26993 26877 7ff64150b4f2 26874->26877 26878 7ff64150b465 26874->26878 26875->26874 26885 7ff64150b35e IsDialogMessageW 26876->26885 26876->26993 27204 7ff6414e8d04 26877->27204 26886 7ff6414faae0 48 API calls 26878->26886 26879 7ff64150b3f5 26879->26864 26887 7ff64150bcc5 26879->26887 26888 7ff6414e1fa0 31 API calls 26880->26888 26882 7ff64150b246 26883 7ff64150b25c 26882->26883 26890 7ff6414e250c SetDlgItemTextW 26882->26890 26897 7ff64150c363 26883->26897 26883->26993 26885->26871 26892 7ff64150b373 TranslateMessage DispatchMessageW 26885->26892 26893 7ff64150b46f 26886->26893 26894 7ff6414faae0 48 API calls 26887->26894 26888->26993 26890->26883 26891 7ff64150b52c 27214 7ff64150ef80 26891->27214 26892->26871 26907 7ff6414e129c 33 API calls 26893->26907 26898 7ff64150bcd6 SetDlgItemTextW 26894->26898 26903 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 26897->26903 26902 7ff6414faae0 48 API calls 26898->26902 26908 7ff64150bd08 26902->26908 26909 7ff64150c368 26903->26909 26906 7ff6414faae0 48 API calls 26911 7ff64150b555 26906->26911 26912 7ff64150b498 26907->26912 26923 7ff6414e129c 33 API calls 26908->26923 26918 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 26909->26918 26915 7ff6414fda98 48 API calls 26911->26915 26916 7ff64150f0a4 24 API calls 26912->26916 26920 7ff64150b568 26915->26920 26921 7ff64150b4a5 26916->26921 26924 7ff64150c36e 26918->26924 27228 7ff64150f0a4 26920->27228 26921->26909 26943 7ff64150b4e8 26921->26943 26952 7ff64150bd31 26923->26952 26936 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 26924->26936 26935 7ff64150bdda 26945 7ff6414faae0 48 API calls 26935->26945 26946 7ff64150c374 26936->26946 26939 7ff6414e1fa0 31 API calls 26950 7ff64150b586 26939->26950 26942 7ff64150b5ec 26955 7ff64150b61a 26942->26955 27473 7ff6414f32a8 26942->27473 26943->26942 27472 7ff64150fa80 33 API calls 2 library calls 26943->27472 26947 7ff64150bde4 26945->26947 26957 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 26946->26957 26967 7ff6414e129c 33 API calls 26947->26967 26950->26924 26950->26943 26952->26935 26962 7ff6414e129c 33 API calls 26952->26962 27242 7ff6414f2f58 26955->27242 26961 7ff64150c37a 26957->26961 26974 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 26961->26974 26968 7ff64150bd7f 26962->26968 26973 7ff64150be0d 26967->26973 26976 7ff6414faae0 48 API calls 26968->26976 26971 7ff64150b64c 27254 7ff6414f7fc4 26971->27254 26972 7ff64150b634 GetLastError 26972->26971 26990 7ff6414e129c 33 API calls 26973->26990 26980 7ff64150c380 26974->26980 26981 7ff64150bd8a 26976->26981 26978 7ff64150b60e 27476 7ff641509d90 12 API calls _handle_error 26978->27476 26991 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 26980->26991 26986 7ff6414e1150 33 API calls 26981->26986 26984 7ff64150b65e 26988 7ff64150b674 26984->26988 26989 7ff64150b665 GetLastError 26984->26989 26992 7ff64150bda2 26986->26992 26995 7ff64150b71c 26988->26995 26999 7ff64150b68b GetTickCount 26988->26999 27000 7ff64150b72b 26988->27000 26989->26988 26996 7ff64150be4e 26990->26996 26997 7ff64150c386 26991->26997 27002 7ff6414e2034 33 API calls 26992->27002 26993->26846 26995->27000 27015 7ff64150bb79 26995->27015 27008 7ff6414e1fa0 31 API calls 26996->27008 27001 7ff6414e255c 61 API calls 26997->27001 27257 7ff6414e4228 26999->27257 27005 7ff64150ba50 27000->27005 27012 7ff6414f6454 34 API calls 27000->27012 27004 7ff64150c3e4 27001->27004 27006 7ff64150bdbe 27002->27006 27009 7ff64150c3e8 27004->27009 27018 7ff64150c489 GetDlgItem SetFocus 27004->27018 27065 7ff64150c3fd 27004->27065 27005->26864 27485 7ff6414ebd0c 33 API calls 27005->27485 27013 7ff6414e1fa0 31 API calls 27006->27013 27016 7ff64150be78 27008->27016 27025 7ff641512320 _handle_error 8 API calls 27009->27025 27020 7ff64150b74e 27012->27020 27021 7ff64150bdcc 27013->27021 27031 7ff6414faae0 48 API calls 27015->27031 27023 7ff6414e1fa0 31 API calls 27016->27023 27017 7ff64150ba75 27486 7ff6414e1150 27017->27486 27029 7ff64150c4ba 27018->27029 27477 7ff6414fb914 102 API calls 27020->27477 27028 7ff6414e1fa0 31 API calls 27021->27028 27022 7ff64150b6ba 27030 7ff6414e1fa0 31 API calls 27022->27030 27032 7ff64150be83 27023->27032 27034 7ff64150ca97 27025->27034 27028->26935 27036 7ff6414e129c 33 API calls 27029->27036 27037 7ff64150b6c8 27030->27037 27038 7ff64150bba7 SetDlgItemTextW 27031->27038 27039 7ff6414e1fa0 31 API calls 27032->27039 27033 7ff64150ba8a 27040 7ff6414faae0 48 API calls 27033->27040 27035 7ff64150b768 27042 7ff6414fda98 48 API calls 27035->27042 27043 7ff64150c4cc 27036->27043 27267 7ff6414f2134 27037->27267 27044 7ff6414e2534 27038->27044 27039->26880 27045 7ff64150ba97 27040->27045 27041 7ff64150c434 SendDlgItemMessageW 27046 7ff64150c45d EndDialog 27041->27046 27047 7ff64150c454 27041->27047 27048 7ff64150b7aa GetCommandLineW 27042->27048 27490 7ff6414f80d8 33 API calls 27043->27490 27052 7ff64150bbc5 SetDlgItemTextW GetDlgItem 27044->27052 27053 7ff6414e1150 33 API calls 27045->27053 27046->27009 27047->27046 27049 7ff64150b869 27048->27049 27050 7ff64150b84f 27048->27050 27478 7ff64150ab54 33 API calls _handle_error 27049->27478 27066 7ff6414e20b0 33 API calls 27050->27066 27057 7ff64150bbf0 GetWindowLongPtrW SetWindowLongPtrW 27052->27057 27058 7ff64150bc13 27052->27058 27059 7ff64150baaa 27053->27059 27054 7ff64150c4e0 27060 7ff6414e250c SetDlgItemTextW 27054->27060 27057->27058 27283 7ff64150ce88 27058->27283 27064 7ff6414e1fa0 31 API calls 27059->27064 27067 7ff64150c4f4 27060->27067 27061 7ff64150b87a 27479 7ff64150ab54 33 API calls _handle_error 27061->27479 27072 7ff64150bab5 27064->27072 27065->27009 27065->27041 27066->27049 27077 7ff64150c526 SendDlgItemMessageW FindFirstFileW 27067->27077 27069 7ff64150b704 27074 7ff6414f204c 100 API calls 27069->27074 27070 7ff64150b6f5 GetLastError 27070->27069 27076 7ff6414e1fa0 31 API calls 27072->27076 27073 7ff64150b88b 27480 7ff64150ab54 33 API calls _handle_error 27073->27480 27079 7ff64150b711 27074->27079 27075 7ff64150ce88 160 API calls 27080 7ff64150bc3c 27075->27080 27081 7ff64150bac3 27076->27081 27082 7ff64150c57b 27077->27082 27174 7ff64150ca04 27077->27174 27084 7ff6414e1fa0 31 API calls 27079->27084 27433 7ff64150f974 27080->27433 27091 7ff6414faae0 48 API calls 27081->27091 27092 7ff6414faae0 48 API calls 27082->27092 27083 7ff64150b89c 27481 7ff6414fb9b4 102 API calls 27083->27481 27084->26995 27088 7ff64150b8b3 27482 7ff64150fbdc 33 API calls 27088->27482 27089 7ff64150ca81 27089->27009 27090 7ff64150ce88 160 API calls 27105 7ff64150bc6a 27090->27105 27095 7ff64150badb 27091->27095 27096 7ff64150c59e 27092->27096 27094 7ff64150caa9 27098 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27094->27098 27106 7ff6414e129c 33 API calls 27095->27106 27107 7ff6414e129c 33 API calls 27096->27107 27097 7ff64150b8d2 CreateFileMappingW 27101 7ff64150b911 MapViewOfFile 27097->27101 27102 7ff64150b953 ShellExecuteExW 27097->27102 27103 7ff64150caae 27098->27103 27099 7ff64150bc96 27447 7ff6414e2298 GetDlgItem EnableWindow 27099->27447 27483 7ff641513640 27101->27483 27122 7ff64150b974 27102->27122 27108 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27103->27108 27105->27099 27109 7ff64150ce88 160 API calls 27105->27109 27113 7ff64150bb04 27106->27113 27110 7ff64150c5cd 27107->27110 27111 7ff64150cab4 27108->27111 27109->27099 27112 7ff6414e1150 33 API calls 27110->27112 27117 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27111->27117 27115 7ff64150c5e8 27112->27115 27113->26961 27114 7ff64150bb5a 27113->27114 27118 7ff6414e1fa0 31 API calls 27114->27118 27491 7ff6414ee164 33 API calls 2 library calls 27115->27491 27116 7ff64150b9c3 27123 7ff64150b9dc UnmapViewOfFile CloseHandle 27116->27123 27124 7ff64150b9ef 27116->27124 27120 7ff64150caba 27117->27120 27118->26864 27126 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27120->27126 27121 7ff64150c5ff 27127 7ff6414e1fa0 31 API calls 27121->27127 27122->27116 27131 7ff64150b9b1 Sleep 27122->27131 27123->27124 27124->26946 27125 7ff64150ba25 27124->27125 27129 7ff6414e1fa0 31 API calls 27125->27129 27128 7ff64150cac0 27126->27128 27130 7ff64150c60c 27127->27130 27133 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27128->27133 27132 7ff64150ba42 27129->27132 27130->27103 27135 7ff6414e1fa0 31 API calls 27130->27135 27131->27116 27131->27122 27134 7ff6414e1fa0 31 API calls 27132->27134 27136 7ff64150cac6 27133->27136 27134->27005 27137 7ff64150c673 27135->27137 27140 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27136->27140 27138 7ff6414e250c SetDlgItemTextW 27137->27138 27139 7ff64150c687 FindClose 27138->27139 27141 7ff64150c797 SendDlgItemMessageW 27139->27141 27142 7ff64150c6a3 27139->27142 27143 7ff64150cacc 27140->27143 27145 7ff64150c7cb 27141->27145 27492 7ff64150a2cc 10 API calls _handle_error 27142->27492 27148 7ff6414faae0 48 API calls 27145->27148 27146 7ff64150c6c6 27147 7ff6414faae0 48 API calls 27146->27147 27149 7ff64150c6cf 27147->27149 27150 7ff64150c7d8 27148->27150 27151 7ff6414fda98 48 API calls 27149->27151 27152 7ff6414e129c 33 API calls 27150->27152 27155 7ff64150c6ec memcpy_s 27151->27155 27154 7ff64150c807 27152->27154 27153 7ff6414e1fa0 31 API calls 27156 7ff64150c783 27153->27156 27157 7ff6414e1150 33 API calls 27154->27157 27155->27111 27155->27153 27158 7ff6414e250c SetDlgItemTextW 27156->27158 27159 7ff64150c822 27157->27159 27158->27141 27493 7ff6414ee164 33 API calls 2 library calls 27159->27493 27161 7ff64150c839 27162 7ff6414e1fa0 31 API calls 27161->27162 27163 7ff64150c845 memcpy_s 27162->27163 27164 7ff6414e1fa0 31 API calls 27163->27164 27165 7ff64150c87f 27164->27165 27166 7ff6414e1fa0 31 API calls 27165->27166 27167 7ff64150c88c 27166->27167 27167->27120 27168 7ff6414e1fa0 31 API calls 27167->27168 27169 7ff64150c8f3 27168->27169 27170 7ff6414e250c SetDlgItemTextW 27169->27170 27171 7ff64150c907 27170->27171 27171->27174 27494 7ff64150a2cc 10 API calls _handle_error 27171->27494 27173 7ff64150c932 27175 7ff6414faae0 48 API calls 27173->27175 27174->27009 27174->27089 27174->27094 27174->27136 27176 7ff64150c93c 27175->27176 27177 7ff6414fda98 48 API calls 27176->27177 27179 7ff64150c959 memcpy_s 27177->27179 27178 7ff6414e1fa0 31 API calls 27180 7ff64150c9f0 27178->27180 27179->27128 27179->27178 27181 7ff6414e250c SetDlgItemTextW 27180->27181 27181->27174 27183 7ff6414e25d0 27182->27183 27184 7ff6414e256a 27182->27184 27183->26841 27184->27183 27495 7ff6414fa4ac 27184->27495 27186 7ff6414e258f 27186->27183 27187 7ff6414e25a4 GetDlgItem 27186->27187 27187->27183 27188 7ff6414e25b7 27187->27188 27188->27183 27189 7ff6414e25be SetWindowTextW 27188->27189 27189->27183 27191 7ff6414e2334 27190->27191 27192 7ff6414e22fc 27190->27192 27544 7ff6414e23f8 GetWindowTextLengthW 27191->27544 27195 7ff6414e129c 33 API calls 27192->27195 27194 7ff6414e232a memcpy_s 27196 7ff6414e1fa0 31 API calls 27194->27196 27199 7ff6414e2389 27194->27199 27195->27194 27196->27199 27197 7ff6414e23c8 27198 7ff641512320 _handle_error 8 API calls 27197->27198 27200 7ff6414e23dd 27198->27200 27199->27197 27201 7ff6414e23f0 27199->27201 27200->26864 27200->26870 27200->26879 27202 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27201->27202 27203 7ff6414e23f5 27202->27203 27205 7ff6414e8d34 27204->27205 27212 7ff6414e8de8 27204->27212 27206 7ff6414e8d42 memcpy_s 27205->27206 27209 7ff6414e8de3 27205->27209 27210 7ff6414e8d91 27205->27210 27206->26891 27556 7ff6414e1f80 33 API calls 3 library calls 27209->27556 27210->27206 27213 7ff6415121d0 33 API calls 27210->27213 27557 7ff6414e2004 33 API calls std::_Xinvalid_argument 27212->27557 27213->27206 27218 7ff64150efb0 27214->27218 27215 7ff641512320 _handle_error 8 API calls 27216 7ff64150b537 27215->27216 27216->26906 27217 7ff64150efd7 27217->27215 27218->27217 27558 7ff6414ebd0c 33 API calls 27218->27558 27220 7ff64150f02a 27221 7ff6414e1150 33 API calls 27220->27221 27222 7ff64150f03f 27221->27222 27223 7ff6414e1fa0 31 API calls 27222->27223 27225 7ff64150f04f memcpy_s 27222->27225 27223->27225 27224 7ff6414e1fa0 31 API calls 27226 7ff64150f076 27224->27226 27225->27224 27227 7ff6414e1fa0 31 API calls 27226->27227 27227->27217 27559 7ff64150ae1c PeekMessageW 27228->27559 27231 7ff64150f143 SendMessageW SendMessageW 27233 7ff64150f189 27231->27233 27234 7ff64150f1a4 SendMessageW 27231->27234 27232 7ff64150f0f5 27235 7ff64150f101 ShowWindow SendMessageW SendMessageW 27232->27235 27233->27234 27236 7ff64150f1c6 SendMessageW SendMessageW 27234->27236 27237 7ff64150f1c3 27234->27237 27235->27231 27238 7ff64150f218 SendMessageW 27236->27238 27239 7ff64150f1f3 SendMessageW 27236->27239 27237->27236 27240 7ff641512320 _handle_error 8 API calls 27238->27240 27239->27238 27241 7ff64150b578 27240->27241 27241->26939 27243 7ff6414f309d 27242->27243 27250 7ff6414f2f8e 27242->27250 27244 7ff641512320 _handle_error 8 API calls 27243->27244 27245 7ff6414f30b3 27244->27245 27245->26971 27245->26972 27246 7ff6414f3077 27246->27243 27247 7ff6414f3684 56 API calls 27246->27247 27247->27243 27248 7ff6414e129c 33 API calls 27248->27250 27250->27246 27250->27248 27251 7ff6414f30c8 27250->27251 27564 7ff6414f3684 27250->27564 27252 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27251->27252 27253 7ff6414f30cd 27252->27253 27255 7ff6414f7fd2 SetCurrentDirectoryW 27254->27255 27256 7ff6414f7fcf 27254->27256 27255->26984 27256->27255 27258 7ff6414e4255 27257->27258 27259 7ff6414e426a 27258->27259 27260 7ff6414e129c 33 API calls 27258->27260 27261 7ff641512320 _handle_error 8 API calls 27259->27261 27260->27259 27262 7ff6414e42a1 27261->27262 27263 7ff6414e3c84 27262->27263 27264 7ff6414e3cab 27263->27264 27598 7ff6414e710c 27264->27598 27266 7ff6414e3cbb memcpy_s 27266->27022 27270 7ff6414f216a 27267->27270 27268 7ff6414f219e 27271 7ff6414f227f 27268->27271 27272 7ff6414f6a0c 49 API calls 27268->27272 27269 7ff6414f21b1 CreateFileW 27269->27268 27270->27268 27270->27269 27273 7ff6414f22af 27271->27273 27279 7ff6414e20b0 33 API calls 27271->27279 27275 7ff6414f2209 27272->27275 27274 7ff641512320 _handle_error 8 API calls 27273->27274 27276 7ff6414f22c4 27274->27276 27277 7ff6414f220d CreateFileW 27275->27277 27278 7ff6414f2246 27275->27278 27276->27069 27276->27070 27277->27278 27278->27271 27280 7ff6414f22d8 27278->27280 27279->27273 27281 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27280->27281 27282 7ff6414f22dd 27281->27282 27610 7ff64150aa08 27283->27610 27285 7ff64150d1ee 27286 7ff6414e1fa0 31 API calls 27285->27286 27287 7ff64150d1f7 27286->27287 27289 7ff641512320 _handle_error 8 API calls 27287->27289 27288 7ff6414fd22c 33 API calls 27432 7ff64150cf03 memcpy_s 27288->27432 27290 7ff64150bc2b 27289->27290 27290->27075 27291 7ff64150eefa 27735 7ff6414e704c 47 API calls memcpy_s 27291->27735 27294 7ff64150ef00 27736 7ff6414e704c 47 API calls memcpy_s 27294->27736 27296 7ff64150ef06 27300 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27296->27300 27298 7ff64150eeee 27299 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27298->27299 27301 7ff64150eef4 27299->27301 27303 7ff64150ef0c 27300->27303 27734 7ff6414e704c 47 API calls memcpy_s 27301->27734 27305 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27303->27305 27307 7ff64150ef12 27305->27307 27306 7ff64150ee4a 27308 7ff64150eed2 27306->27308 27309 7ff6414e20b0 33 API calls 27306->27309 27312 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27307->27312 27732 7ff6414e1f80 33 API calls 3 library calls 27308->27732 27314 7ff64150ee77 27309->27314 27310 7ff64150eee8 27733 7ff6414e2004 33 API calls std::_Xinvalid_argument 27310->27733 27311 7ff6414e13a4 33 API calls 27315 7ff64150dc3a GetTempPathW 27311->27315 27317 7ff64150ef18 27312->27317 27731 7ff64150abe8 33 API calls 3 library calls 27314->27731 27315->27432 27316 7ff6414f62dc 35 API calls 27316->27432 27321 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27317->27321 27326 7ff64150ef1e 27321->27326 27322 7ff64151bb8c 43 API calls 27322->27432 27324 7ff64150ee8d 27331 7ff6414e1fa0 31 API calls 27324->27331 27334 7ff64150eea4 memcpy_s 27324->27334 27325 7ff6414e2520 SetWindowTextW 27325->27432 27332 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27326->27332 27327 7ff6414e8d04 33 API calls 27327->27432 27329 7ff6414e1fa0 31 API calls 27329->27308 27330 7ff64150e7f3 27330->27308 27330->27310 27333 7ff6415121d0 33 API calls 27330->27333 27341 7ff64150e83b memcpy_s 27330->27341 27331->27334 27336 7ff64150ef24 27332->27336 27333->27341 27334->27329 27340 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27336->27340 27337 7ff6414e20b0 33 API calls 27337->27432 27338 7ff64150aa08 33 API calls 27338->27432 27339 7ff64150ef6c 27739 7ff6414e2004 33 API calls std::_Xinvalid_argument 27339->27739 27345 7ff64150ef2a 27340->27345 27350 7ff6414e20b0 33 API calls 27341->27350 27391 7ff64150eb8f 27341->27391 27343 7ff6414e1fa0 31 API calls 27343->27306 27344 7ff64150ef78 27741 7ff6414e2004 33 API calls std::_Xinvalid_argument 27344->27741 27358 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27345->27358 27346 7ff64150ef72 27740 7ff6414e1f80 33 API calls 3 library calls 27346->27740 27348 7ff6414f5820 33 API calls 27348->27432 27349 7ff64150ef66 27738 7ff6414e1f80 33 API calls 3 library calls 27349->27738 27359 7ff64150e963 27350->27359 27353 7ff6414e1fa0 31 API calls 27353->27432 27354 7ff6414e129c 33 API calls 27354->27432 27355 7ff64150ed40 27355->27344 27355->27346 27370 7ff64150ed3b memcpy_s 27355->27370 27375 7ff6415121d0 33 API calls 27355->27375 27357 7ff64150ec2a 27357->27339 27357->27349 27364 7ff64150ec72 memcpy_s 27357->27364 27357->27370 27372 7ff6415121d0 33 API calls 27357->27372 27363 7ff64150ef30 27358->27363 27365 7ff64150ef60 27359->27365 27371 7ff6414e129c 33 API calls 27359->27371 27362 7ff6414f3d34 51 API calls 27362->27432 27376 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27363->27376 27653 7ff64150f4e0 27364->27653 27737 7ff6414e704c 47 API calls memcpy_s 27365->27737 27367 7ff64150d5e9 GetDlgItem 27373 7ff6414e2520 SetWindowTextW 27367->27373 27370->27343 27377 7ff64150e9a6 27371->27377 27372->27364 27378 7ff64150d608 SendMessageW 27373->27378 27375->27370 27383 7ff64150ef36 27376->27383 27727 7ff6414fd22c 27377->27727 27378->27432 27379 7ff6414fdc2c 33 API calls 27379->27432 27380 7ff6414f32bc 51 API calls 27380->27432 27381 7ff6414e2674 31 API calls 27381->27432 27386 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27383->27386 27385 7ff6414f5b60 53 API calls 27385->27432 27390 7ff64150ef3c 27386->27390 27387 7ff64150d63c SendMessageW 27387->27432 27389 7ff6414f3f30 54 API calls 27389->27432 27394 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27390->27394 27391->27355 27391->27357 27396 7ff64150ef54 27391->27396 27398 7ff64150ef5a 27391->27398 27397 7ff64150ef42 27394->27397 27399 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27396->27399 27403 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27397->27403 27400 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27398->27400 27399->27398 27400->27365 27401 7ff6414e4228 33 API calls 27401->27432 27405 7ff64150ef48 27403->27405 27404 7ff6414f32a8 51 API calls 27404->27432 27408 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27405->27408 27406 7ff6414f5aa8 33 API calls 27406->27432 27407 7ff6414ee164 33 API calls 27407->27432 27410 7ff64150ef4e 27408->27410 27409 7ff6414e250c SetDlgItemTextW 27409->27432 27415 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27410->27415 27411 7ff6414e129c 33 API calls 27423 7ff64150e9d1 27411->27423 27413 7ff6414f7df4 47 API calls 27413->27432 27414 7ff6414e1150 33 API calls 27414->27432 27415->27396 27416 7ff6415099c8 31 API calls 27416->27432 27418 7ff6414e1fa0 31 API calls 27418->27423 27420 7ff6415013c4 CompareStringW 27420->27423 27421 7ff64150df99 EndDialog 27421->27432 27423->27391 27423->27405 27423->27410 27423->27411 27423->27418 27423->27420 27424 7ff6414fd22c 33 API calls 27423->27424 27424->27423 27425 7ff64150db21 MoveFileW 27426 7ff64150db70 27425->27426 27427 7ff64150db55 MoveFileExW 27425->27427 27428 7ff6414e1fa0 31 API calls 27426->27428 27426->27432 27427->27426 27428->27426 27429 7ff6414f2f58 56 API calls 27429->27432 27430 7ff6414e2034 33 API calls 27430->27432 27432->27285 27432->27288 27432->27291 27432->27294 27432->27296 27432->27298 27432->27301 27432->27303 27432->27306 27432->27307 27432->27311 27432->27316 27432->27317 27432->27322 27432->27325 27432->27326 27432->27327 27432->27330 27432->27336 27432->27337 27432->27338 27432->27345 27432->27348 27432->27353 27432->27354 27432->27362 27432->27363 27432->27379 27432->27380 27432->27381 27432->27383 27432->27385 27432->27387 27432->27389 27432->27390 27432->27397 27432->27401 27432->27404 27432->27406 27432->27407 27432->27409 27432->27413 27432->27414 27432->27416 27432->27421 27432->27425 27432->27429 27432->27430 27614 7ff6415013c4 CompareStringW 27432->27614 27615 7ff64150a440 27432->27615 27691 7ff6414fcfa4 35 API calls _invalid_parameter_noinfo_noreturn 27432->27691 27692 7ff6415095b4 33 API calls Concurrency::cancel_current_task 27432->27692 27693 7ff641510684 31 API calls _invalid_parameter_noinfo_noreturn 27432->27693 27694 7ff6414edf4c 47 API calls memcpy_s 27432->27694 27695 7ff64150a834 33 API calls _invalid_parameter_noinfo_noreturn 27432->27695 27696 7ff641509518 33 API calls 27432->27696 27697 7ff64150abe8 33 API calls 3 library calls 27432->27697 27698 7ff6414f7368 33 API calls 2 library calls 27432->27698 27699 7ff6414f4088 33 API calls 27432->27699 27700 7ff6414f65b0 33 API calls 3 library calls 27432->27700 27701 7ff6414f72cc 27432->27701 27705 7ff6414e1744 33 API calls 4 library calls 27432->27705 27706 7ff6414f31bc 27432->27706 27720 7ff6414f3ea0 FindClose 27432->27720 27721 7ff6415013f4 CompareStringW 27432->27721 27722 7ff641509cd0 47 API calls 27432->27722 27723 7ff6415087d8 51 API calls 3 library calls 27432->27723 27724 7ff64150ab54 33 API calls _handle_error 27432->27724 27725 7ff6414f5b08 CompareStringW 27432->27725 27726 7ff6414f7eb0 47 API calls 27432->27726 27434 7ff64150f9a3 27433->27434 27435 7ff6414e20b0 33 API calls 27434->27435 27436 7ff64150f9b9 27435->27436 27437 7ff64150f9ee 27436->27437 27438 7ff6414e20b0 33 API calls 27436->27438 27754 7ff6414ee34c 27437->27754 27438->27437 27440 7ff64150fa4b 27774 7ff6414ee7a8 27440->27774 27444 7ff64150fa61 27445 7ff641512320 _handle_error 8 API calls 27444->27445 27446 7ff64150bc52 27445->27446 27446->27090 27449 7ff64150849c 4 API calls 27448->27449 27450 7ff64150f3bf 27449->27450 27451 7ff64150f4b7 27450->27451 27452 7ff64150f3c7 GetWindow 27450->27452 27453 7ff641512320 _handle_error 8 API calls 27451->27453 27457 7ff64150f3e2 27452->27457 27454 7ff64150be9b 27453->27454 27454->26849 27454->26850 27455 7ff64150f3ee GetClassNameW 28812 7ff6415013c4 CompareStringW 27455->28812 27457->27451 27457->27455 27458 7ff64150f496 GetWindow 27457->27458 27459 7ff64150f417 GetWindowLongPtrW 27457->27459 27458->27451 27458->27457 27459->27458 27460 7ff64150f429 SendMessageW 27459->27460 27460->27458 27461 7ff64150f445 GetObjectW 27460->27461 28813 7ff641508504 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 27461->28813 27463 7ff64150f461 27464 7ff6415084cc 4 API calls 27463->27464 28814 7ff641508df4 16 API calls _handle_error 27463->28814 27464->27463 27466 7ff64150f479 SendMessageW DeleteObject 27466->27458 27468 7ff6414e252a SetWindowTextW 27467->27468 27469 7ff6414e2527 27467->27469 27470 7ff64154e2e0 27468->27470 27469->27468 27471->26882 27472->26942 27474 7ff6414f32bc 51 API calls 27473->27474 27475 7ff6414f32b1 27474->27475 27475->26955 27475->26978 27476->26955 27477->27035 27478->27061 27479->27073 27480->27083 27481->27088 27482->27097 27484 7ff641513620 27483->27484 27484->27102 27485->27017 27487 7ff6414e1177 27486->27487 27488 7ff6414e2034 33 API calls 27487->27488 27489 7ff6414e1185 memcpy_s 27488->27489 27489->27033 27490->27054 27491->27121 27492->27146 27493->27161 27494->27173 27496 7ff6414f3e28 swprintf 46 API calls 27495->27496 27497 7ff6414fa509 27496->27497 27498 7ff641500f68 WideCharToMultiByte 27497->27498 27499 7ff6414fa519 27498->27499 27500 7ff6414fa589 27499->27500 27514 7ff6414f9800 31 API calls 27499->27514 27518 7ff6414fa56a SetDlgItemTextW 27499->27518 27520 7ff6414f9408 27500->27520 27503 7ff6414fa603 27505 7ff6414fa6c2 27503->27505 27506 7ff6414fa60c GetWindowLongPtrW 27503->27506 27504 7ff6414fa6f2 GetSystemMetrics GetWindow 27507 7ff6414fa821 27504->27507 27517 7ff6414fa71d 27504->27517 27535 7ff6414f95a8 27505->27535 27509 7ff64154e2c0 27506->27509 27508 7ff641512320 _handle_error 8 API calls 27507->27508 27511 7ff6414fa830 27508->27511 27512 7ff6414fa6aa GetWindowRect 27509->27512 27511->27186 27512->27505 27514->27499 27515 7ff6414fa6e5 SetWindowTextW 27515->27504 27516 7ff6414fa73e GetWindowRect 27516->27517 27517->27507 27517->27516 27519 7ff6414fa800 GetWindow 27517->27519 27518->27499 27519->27507 27519->27517 27521 7ff6414f95a8 47 API calls 27520->27521 27524 7ff6414f944f 27521->27524 27522 7ff641512320 _handle_error 8 API calls 27523 7ff6414f958e GetWindowRect GetClientRect 27522->27523 27523->27503 27523->27504 27525 7ff6414e129c 33 API calls 27524->27525 27533 7ff6414f955a 27524->27533 27526 7ff6414f949c 27525->27526 27527 7ff6414f95a1 27526->27527 27529 7ff6414e129c 33 API calls 27526->27529 27528 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27527->27528 27530 7ff6414f95a7 27528->27530 27531 7ff6414f9514 27529->27531 27532 7ff6414f959c 27531->27532 27531->27533 27534 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27532->27534 27533->27522 27534->27527 27536 7ff6414f3e28 swprintf 46 API calls 27535->27536 27537 7ff6414f95eb 27536->27537 27538 7ff641500f68 WideCharToMultiByte 27537->27538 27539 7ff6414f9603 27538->27539 27540 7ff6414f9800 31 API calls 27539->27540 27541 7ff6414f961b 27540->27541 27542 7ff641512320 _handle_error 8 API calls 27541->27542 27543 7ff6414f962b 27542->27543 27543->27504 27543->27515 27545 7ff6414e13a4 33 API calls 27544->27545 27546 7ff6414e2462 GetWindowTextW 27545->27546 27547 7ff6414e2494 27546->27547 27548 7ff6414e129c 33 API calls 27547->27548 27549 7ff6414e24a2 27548->27549 27551 7ff6414e2505 27549->27551 27552 7ff6414e24dd 27549->27552 27550 7ff641512320 _handle_error 8 API calls 27553 7ff6414e24f3 27550->27553 27554 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27551->27554 27552->27550 27553->27194 27555 7ff6414e250a 27554->27555 27556->27212 27558->27220 27560 7ff64150ae3c GetMessageW 27559->27560 27561 7ff64150ae80 GetDlgItem 27559->27561 27562 7ff64150ae6a TranslateMessage DispatchMessageW 27560->27562 27563 7ff64150ae5b IsDialogMessageW 27560->27563 27561->27231 27561->27232 27562->27561 27563->27561 27563->27562 27566 7ff6414f36b3 27564->27566 27565 7ff6414f36e0 27568 7ff6414f32bc 51 API calls 27565->27568 27566->27565 27567 7ff6414f36cc CreateDirectoryW 27566->27567 27567->27565 27569 7ff6414f377d 27567->27569 27570 7ff6414f36ee 27568->27570 27571 7ff6414f378d 27569->27571 27584 7ff6414f3d34 27569->27584 27572 7ff6414f3791 GetLastError 27570->27572 27574 7ff6414f6a0c 49 API calls 27570->27574 27575 7ff641512320 _handle_error 8 API calls 27571->27575 27572->27571 27576 7ff6414f371c 27574->27576 27577 7ff6414f37b9 27575->27577 27578 7ff6414f3720 CreateDirectoryW 27576->27578 27579 7ff6414f373b 27576->27579 27577->27250 27578->27579 27580 7ff6414f3774 27579->27580 27581 7ff6414f37ce 27579->27581 27580->27569 27580->27572 27582 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27581->27582 27583 7ff6414f37d3 27582->27583 27585 7ff6414f3d5e SetFileAttributesW 27584->27585 27586 7ff6414f3d5b 27584->27586 27587 7ff6414f3d74 27585->27587 27594 7ff6414f3df5 27585->27594 27586->27585 27589 7ff6414f6a0c 49 API calls 27587->27589 27588 7ff641512320 _handle_error 8 API calls 27590 7ff6414f3e0a 27588->27590 27591 7ff6414f3d99 27589->27591 27590->27571 27592 7ff6414f3d9d SetFileAttributesW 27591->27592 27593 7ff6414f3dbc 27591->27593 27592->27593 27593->27594 27595 7ff6414f3e1a 27593->27595 27594->27588 27596 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27595->27596 27597 7ff6414f3e1f 27596->27597 27599 7ff6414e713b 27598->27599 27600 7ff6414e7206 27598->27600 27604 7ff6414e714b memcpy_s 27599->27604 27607 7ff6414e3f48 33 API calls 2 library calls 27599->27607 27608 7ff6414e704c 47 API calls memcpy_s 27600->27608 27602 7ff6414e720b 27605 7ff6414e7273 27602->27605 27609 7ff6414e889c 8 API calls memcpy_s 27602->27609 27604->27266 27605->27266 27607->27604 27608->27602 27609->27602 27611 7ff64150aa36 27610->27611 27612 7ff64150aa2f 27610->27612 27611->27612 27742 7ff6414e1744 33 API calls 4 library calls 27611->27742 27612->27432 27614->27432 27616 7ff64150a706 27615->27616 27617 7ff64150a47f 27615->27617 27619 7ff641512320 _handle_error 8 API calls 27616->27619 27743 7ff64150cdf8 33 API calls 27617->27743 27621 7ff64150a717 27619->27621 27620 7ff64150a49e 27622 7ff6414e129c 33 API calls 27620->27622 27621->27367 27623 7ff64150a4de 27622->27623 27624 7ff6414e129c 33 API calls 27623->27624 27625 7ff64150a517 27624->27625 27626 7ff6414e129c 33 API calls 27625->27626 27627 7ff64150a54a 27626->27627 27744 7ff64150a834 33 API calls _invalid_parameter_noinfo_noreturn 27627->27744 27629 7ff64150a734 27631 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27629->27631 27630 7ff64150a573 27630->27629 27632 7ff64150a73a 27630->27632 27633 7ff64150a740 27630->27633 27636 7ff6414e20b0 33 API calls 27630->27636 27637 7ff64150a685 27630->27637 27631->27632 27634 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27632->27634 27635 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27633->27635 27634->27633 27638 7ff64150a746 27635->27638 27636->27637 27637->27616 27637->27638 27639 7ff64150a72f 27637->27639 27640 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27638->27640 27642 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27639->27642 27641 7ff64150a74c 27640->27641 27643 7ff6414e255c 61 API calls 27641->27643 27642->27629 27644 7ff64150a795 27643->27644 27645 7ff64150a7b1 27644->27645 27646 7ff64150a801 SetDlgItemTextW 27644->27646 27650 7ff64150a7a1 27644->27650 27647 7ff641512320 _handle_error 8 API calls 27645->27647 27646->27645 27648 7ff64150a827 27647->27648 27648->27367 27649 7ff64150a7ad 27649->27645 27651 7ff64150a7b7 EndDialog 27649->27651 27650->27645 27650->27649 27745 7ff6414fbb00 102 API calls 27650->27745 27651->27645 27659 7ff64150f529 memcpy_s 27653->27659 27671 7ff64150f87d 27653->27671 27654 7ff6414e1fa0 31 API calls 27655 7ff64150f89c 27654->27655 27656 7ff641512320 _handle_error 8 API calls 27655->27656 27657 7ff64150f8a8 27656->27657 27657->27370 27658 7ff64150f684 27661 7ff6414e129c 33 API calls 27658->27661 27659->27658 27746 7ff6415013c4 CompareStringW 27659->27746 27662 7ff64150f6c0 27661->27662 27663 7ff6414f32a8 51 API calls 27662->27663 27664 7ff64150f6ca 27663->27664 27665 7ff6414e1fa0 31 API calls 27664->27665 27668 7ff64150f6d5 27665->27668 27666 7ff64150f742 ShellExecuteExW 27667 7ff64150f846 27666->27667 27673 7ff64150f755 27666->27673 27667->27671 27675 7ff64150f8fb 27667->27675 27668->27666 27670 7ff6414e129c 33 API calls 27668->27670 27669 7ff64150f78e 27748 7ff64150fe24 PeekMessageW GetMessageW TranslateMessage DispatchMessageW WaitForSingleObject 27669->27748 27674 7ff64150f717 27670->27674 27671->27654 27672 7ff64150f7e3 CloseHandle 27676 7ff64150f7f2 27672->27676 27677 7ff64150f801 27672->27677 27673->27669 27673->27672 27682 7ff64150f781 ShowWindow 27673->27682 27747 7ff6414f5b60 53 API calls 2 library calls 27674->27747 27679 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27675->27679 27749 7ff6415013c4 CompareStringW 27676->27749 27677->27667 27687 7ff64150f837 ShowWindow 27677->27687 27680 7ff64150f900 27679->27680 27682->27669 27684 7ff64150f725 27686 7ff6414e1fa0 31 API calls 27684->27686 27685 7ff64150f7a6 27685->27672 27689 7ff64150f7b4 GetExitCodeProcess 27685->27689 27688 7ff64150f72f 27686->27688 27687->27667 27688->27666 27689->27672 27690 7ff64150f7c7 27689->27690 27690->27672 27691->27432 27692->27432 27693->27432 27694->27432 27695->27432 27696->27432 27697->27432 27698->27432 27699->27432 27700->27432 27702 7ff6414f72ea 27701->27702 27750 7ff6414eb3a8 27702->27750 27705->27432 27707 7ff6414f31e4 27706->27707 27708 7ff6414f31e7 DeleteFileW 27706->27708 27707->27708 27709 7ff6414f31fd 27708->27709 27717 7ff6414f327c 27708->27717 27711 7ff6414f6a0c 49 API calls 27709->27711 27710 7ff641512320 _handle_error 8 API calls 27712 7ff6414f3291 27710->27712 27713 7ff6414f3222 27711->27713 27712->27432 27714 7ff6414f3243 27713->27714 27715 7ff6414f3226 DeleteFileW 27713->27715 27716 7ff6414f32a1 27714->27716 27714->27717 27715->27714 27718 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27716->27718 27717->27710 27719 7ff6414f32a6 27718->27719 27721->27432 27722->27432 27723->27432 27724->27432 27725->27432 27726->27432 27728 7ff6414fd25e 27727->27728 27729 7ff6414fd292 27728->27729 27730 7ff6414e1744 33 API calls 27728->27730 27729->27423 27730->27728 27731->27324 27732->27310 27734->27291 27735->27294 27736->27296 27737->27349 27738->27339 27740->27344 27742->27611 27743->27620 27744->27630 27745->27649 27746->27658 27747->27684 27748->27685 27749->27677 27753 7ff6414eb3f2 memcpy_s 27750->27753 27751 7ff641512320 _handle_error 8 API calls 27752 7ff6414eb4b6 27751->27752 27752->27432 27753->27751 27810 7ff6414f86ec 27754->27810 27756 7ff6414ee3c4 27820 7ff6414ee600 27756->27820 27758 7ff6415121d0 33 API calls 27763 7ff6414ee4f0 27758->27763 27759 7ff6414ee549 27761 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27759->27761 27760 7ff6414ee454 27760->27759 27762 7ff6414ee4d4 27760->27762 27771 7ff6414ee54e 27761->27771 27762->27758 27826 7ff641503148 102 API calls 27763->27826 27765 7ff6414ee51d 27766 7ff641512320 _handle_error 8 API calls 27765->27766 27768 7ff6414ee52d 27766->27768 27767 7ff6414f18c2 27770 7ff6414f190d 27767->27770 27772 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27767->27772 27768->27440 27769 7ff6414e1fa0 31 API calls 27769->27771 27770->27440 27771->27767 27771->27769 27771->27770 27773 7ff6414f193b 27772->27773 27778 7ff6414ee7ea 27774->27778 27775 7ff6414ee864 27777 7ff6414ee8a1 27775->27777 27779 7ff6414ee993 27775->27779 27785 7ff6414ee900 27777->27785 27846 7ff6414ef578 27777->27846 27778->27775 27778->27777 27839 7ff6414f3ec8 27778->27839 27780 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27779->27780 27783 7ff6414ee998 27780->27783 27782 7ff641512320 _handle_error 8 API calls 27784 7ff6414ee97e 27782->27784 27788 7ff6414ee578 27784->27788 27787 7ff6414ee955 27785->27787 27882 7ff6414e28a4 82 API calls 2 library calls 27785->27882 27787->27782 28798 7ff6414f15d8 27788->28798 27791 7ff6414e1fa0 31 API calls 27793 7ff6414ee5b7 27791->27793 27792 7ff641501870 108 API calls 27794 7ff6414ee59e 27792->27794 27795 7ff6414e1fa0 31 API calls 27793->27795 27794->27791 27796 7ff6414ee5c3 27795->27796 27797 7ff6414e1fa0 31 API calls 27796->27797 27798 7ff6414ee5cf 27797->27798 27799 7ff6414f878c 108 API calls 27798->27799 27800 7ff6414ee5db 27799->27800 27801 7ff6414e1fa0 31 API calls 27800->27801 27802 7ff6414ee5e4 27801->27802 27803 7ff6414e1fa0 31 API calls 27802->27803 27807 7ff6414ee5ed 27803->27807 27804 7ff6414f18c2 27806 7ff6414f190d 27804->27806 27808 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27804->27808 27805 7ff6414e1fa0 31 API calls 27805->27807 27806->27444 27807->27804 27807->27805 27807->27806 27809 7ff6414f193b 27808->27809 27811 7ff6414f870a 27810->27811 27812 7ff6415121d0 33 API calls 27811->27812 27813 7ff6414f872f 27812->27813 27816 7ff6414f8743 27813->27816 27827 7ff6414e9f1c 27813->27827 27815 7ff6415121d0 33 API calls 27817 7ff6414f8759 27815->27817 27816->27815 27818 7ff6414f876b 27817->27818 27819 7ff6414e9f1c 33 API calls 27817->27819 27818->27756 27819->27818 27821 7ff6414ee627 27820->27821 27822 7ff6414ee62c memcpy_s 27820->27822 27824 7ff6414e1fa0 31 API calls 27821->27824 27823 7ff6414ee668 memcpy_s 27822->27823 27825 7ff6414e1fa0 31 API calls 27822->27825 27823->27760 27824->27822 27825->27823 27826->27765 27832 7ff6415124a0 27827->27832 27830 7ff6415124a0 33 API calls 27831 7ff6414e9f75 memcpy_s 27830->27831 27831->27816 27833 7ff6415124d1 27832->27833 27834 7ff6414e9f4a 27833->27834 27836 7ff6414e9fb0 27833->27836 27834->27830 27837 7ff6414fb788 33 API calls 27836->27837 27838 7ff6414e9fc2 27837->27838 27838->27833 27840 7ff6414f72cc 8 API calls 27839->27840 27841 7ff6414f3ee1 27840->27841 27842 7ff6414f3f0f 27841->27842 27883 7ff6414f40bc 27841->27883 27842->27778 27845 7ff6414f3efa FindClose 27845->27842 27847 7ff6414ef598 _snwprintf 27846->27847 27909 7ff6414e2950 27847->27909 27850 7ff6414ef5cc 27856 7ff6414ef5fc 27850->27856 27926 7ff6414e33e4 27850->27926 27855 7ff6414ef5f8 27855->27856 27958 7ff6414e3ad8 27855->27958 28177 7ff6414e2c54 27856->28177 27861 7ff6414ef7cb 27968 7ff6414ef8a4 27861->27968 27863 7ff6414e8d04 33 API calls 27864 7ff6414ef662 27863->27864 28197 7ff6414f7918 48 API calls 2 library calls 27864->28197 27866 7ff6414ef677 27867 7ff6414f3ec8 55 API calls 27866->27867 27872 7ff6414ef6ad 27867->27872 27868 7ff6414ef842 27868->27856 27989 7ff6414e69f8 27868->27989 28000 7ff6414ef930 27868->28000 27875 7ff6414ef74d 27872->27875 27876 7ff6414ef89a 27872->27876 27878 7ff6414f3ec8 55 API calls 27872->27878 28198 7ff6414f7918 48 API calls 2 library calls 27872->28198 27875->27861 27875->27876 27877 7ff6414ef895 27875->27877 27879 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27876->27879 27881 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27877->27881 27878->27872 27880 7ff6414ef8a0 27879->27880 27881->27876 27882->27787 27884 7ff6414f41d2 FindNextFileW 27883->27884 27885 7ff6414f40f9 FindFirstFileW 27883->27885 27887 7ff6414f41f3 27884->27887 27888 7ff6414f41e1 GetLastError 27884->27888 27885->27887 27889 7ff6414f411e 27885->27889 27890 7ff6414f4211 27887->27890 27893 7ff6414e20b0 33 API calls 27887->27893 27903 7ff6414f41c0 27888->27903 27891 7ff6414f6a0c 49 API calls 27889->27891 27897 7ff6414e129c 33 API calls 27890->27897 27892 7ff6414f4144 27891->27892 27895 7ff6414f4148 FindFirstFileW 27892->27895 27896 7ff6414f4167 27892->27896 27893->27890 27894 7ff641512320 _handle_error 8 API calls 27898 7ff6414f3ef4 27894->27898 27895->27896 27896->27887 27900 7ff6414f41af GetLastError 27896->27900 27908 7ff6414f4314 27896->27908 27899 7ff6414f423b 27897->27899 27898->27842 27898->27845 27901 7ff6414f8090 47 API calls 27899->27901 27900->27903 27902 7ff6414f4249 27901->27902 27902->27903 27906 7ff6414f430f 27902->27906 27903->27894 27904 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27905 7ff6414f431a 27904->27905 27907 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27906->27907 27907->27908 27908->27904 27910 7ff6414e296c 27909->27910 27911 7ff6414e9f1c 33 API calls 27910->27911 27912 7ff6414e2980 27911->27912 27913 7ff6414f86ec 33 API calls 27912->27913 27914 7ff6414e298d 27913->27914 27915 7ff6415121d0 33 API calls 27914->27915 27918 7ff6414e2ac2 27914->27918 27916 7ff6414e2ab0 27915->27916 27916->27918 27920 7ff6414e91c8 35 API calls 27916->27920 28199 7ff6414f4d04 27918->28199 27920->27918 27921 7ff6414f2ca8 27925 7ff6414f24c0 54 API calls 27921->27925 27922 7ff6414f2cc1 27923 7ff6414f2cc5 27922->27923 28213 7ff6414eb7e8 99 API calls 2 library calls 27922->28213 27923->27850 27925->27922 27956 7ff6414f28d0 104 API calls 27926->27956 27927 7ff6414e3674 28214 7ff6414e28a4 82 API calls 2 library calls 27927->28214 27928 7ff6414e3431 memcpy_s 27937 7ff6414e344e 27928->27937 27939 7ff6414e3601 27928->27939 27953 7ff6414f2bb0 101 API calls 27928->27953 27930 7ff6414e69f8 132 API calls 27932 7ff6414e3682 27930->27932 27931 7ff6414e34cc 27957 7ff6414f28d0 104 API calls 27931->27957 27932->27930 27933 7ff6414e370c 27932->27933 27932->27939 27949 7ff6414f2aa0 101 API calls 27932->27949 27938 7ff6414e3740 27933->27938 27933->27939 28215 7ff6414e28a4 82 API calls 2 library calls 27933->28215 27934 7ff6414e34eb 27936 7ff6414e35cb 27934->27936 27955 7ff6414f2aa0 101 API calls 27934->27955 27936->27937 27940 7ff6414e35d7 27936->27940 27937->27927 27937->27932 27938->27939 27942 7ff6414e384d 27938->27942 27950 7ff6414f2bb0 101 API calls 27938->27950 27939->27855 27940->27939 27941 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27940->27941 27943 7ff6414e3891 27941->27943 27942->27939 27944 7ff6414e20b0 33 API calls 27942->27944 27943->27855 27944->27939 27945 7ff6414e69f8 132 API calls 27947 7ff6414e378e 27945->27947 27946 7ff6414e35a7 27946->27936 27951 7ff6414f28d0 104 API calls 27946->27951 27947->27945 27948 7ff6414e3803 27947->27948 27952 7ff6414f2aa0 101 API calls 27947->27952 27954 7ff6414f2aa0 101 API calls 27948->27954 27949->27932 27950->27947 27951->27936 27952->27947 27953->27931 27954->27942 27955->27946 27956->27928 27957->27934 27959 7ff6414e3b55 27958->27959 27960 7ff6414e3af9 27958->27960 27961 7ff641512320 _handle_error 8 API calls 27959->27961 28216 7ff6414e3378 27960->28216 27963 7ff6414e3b67 27961->27963 27963->27861 27963->27863 27965 7ff6414e3b6c 27966 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 27965->27966 27967 7ff6414e3b71 27966->27967 28440 7ff6414f886c 27968->28440 27970 7ff6414ef8ba 28444 7ff6414fef60 GetSystemTime SystemTimeToFileTime 27970->28444 27973 7ff641500994 27974 7ff641510340 27973->27974 27975 7ff6414f7df4 47 API calls 27974->27975 27976 7ff641510373 27975->27976 27977 7ff6414faae0 48 API calls 27976->27977 27978 7ff641510387 27977->27978 27979 7ff6414fda98 48 API calls 27978->27979 27980 7ff641510397 27979->27980 27981 7ff6414e1fa0 31 API calls 27980->27981 27982 7ff6415103a2 27981->27982 28453 7ff64150fc68 27982->28453 27990 7ff6414e6a0e 27989->27990 27994 7ff6414e6a0a 27989->27994 27999 7ff6414f2bb0 101 API calls 27990->27999 27991 7ff6414e6a1b 27992 7ff6414e6a2f 27991->27992 27993 7ff6414e6a3e 27991->27993 27992->27994 28465 7ff6414e5e24 27992->28465 28527 7ff6414e5130 130 API calls 2 library calls 27993->28527 27994->27868 27996 7ff6414e6a3c 27996->27994 28528 7ff6414e466c 82 API calls 27996->28528 27999->27991 28001 7ff6414ef978 28000->28001 28004 7ff6414ef9b0 28001->28004 28061 7ff6414efa34 28001->28061 28643 7ff64150612c 137 API calls 3 library calls 28001->28643 28003 7ff6414f1189 28005 7ff6414f11e1 28003->28005 28006 7ff6414f118e 28003->28006 28004->28003 28010 7ff6414ef9d0 28004->28010 28004->28061 28005->28061 28692 7ff64150612c 137 API calls 3 library calls 28005->28692 28006->28061 28691 7ff6414edd08 179 API calls 28006->28691 28007 7ff641512320 _handle_error 8 API calls 28008 7ff6414f11c4 28007->28008 28008->27868 28010->28061 28558 7ff6414e9bb0 28010->28558 28013 7ff6414efad6 28571 7ff6414f5ef8 28013->28571 28017 7ff6414efb7a 28176 7ff6414f2aa0 101 API calls 28017->28176 28018 7ff6414efb5e 28018->28017 28061->28007 28178 7ff6414e2c88 28177->28178 28179 7ff6414e2c74 28177->28179 28180 7ff6414e1fa0 31 API calls 28178->28180 28179->28178 28777 7ff6414e2d80 108 API calls _invalid_parameter_noinfo_noreturn 28179->28777 28183 7ff6414e2ca1 28180->28183 28196 7ff6414e2d64 28183->28196 28778 7ff6414e3090 31 API calls _invalid_parameter_noinfo_noreturn 28183->28778 28184 7ff6414e2d08 28779 7ff6414e3090 31 API calls _invalid_parameter_noinfo_noreturn 28184->28779 28185 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 28187 7ff6414e2d7c 28185->28187 28188 7ff6414e2d14 28189 7ff6414e1fa0 31 API calls 28188->28189 28190 7ff6414e2d20 28189->28190 28780 7ff6414f878c 28190->28780 28196->28185 28197->27866 28198->27872 28200 7ff6414f4d32 memcpy_s 28199->28200 28209 7ff6414f4bac 28200->28209 28202 7ff6414f4d54 28205 7ff6414f4dae 28202->28205 28206 7ff6414f4d90 28202->28206 28203 7ff641512320 _handle_error 8 API calls 28204 7ff6414e2b32 28203->28204 28204->27850 28204->27921 28207 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 28205->28207 28206->28203 28208 7ff6414f4db3 28207->28208 28210 7ff6414f4c27 28209->28210 28212 7ff6414f4c2f memcpy_s 28209->28212 28211 7ff6414e1fa0 31 API calls 28210->28211 28211->28212 28212->28202 28213->27923 28214->27939 28215->27938 28217 7ff6414e339a 28216->28217 28218 7ff6414e3396 28216->28218 28222 7ff6414e3294 28217->28222 28218->27959 28218->27965 28221 7ff6414f2aa0 101 API calls 28221->28218 28223 7ff6414e32bb 28222->28223 28225 7ff6414e32f6 28222->28225 28224 7ff6414e69f8 132 API calls 28223->28224 28228 7ff6414e32db 28224->28228 28230 7ff6414e6e74 28225->28230 28228->28221 28234 7ff6414e6e95 28230->28234 28231 7ff6414e69f8 132 API calls 28231->28234 28232 7ff6414e331d 28232->28228 28235 7ff6414e3904 28232->28235 28234->28231 28234->28232 28262 7ff6414fe808 28234->28262 28270 7ff6414e6a7c 28235->28270 28238 7ff6414e396a 28241 7ff6414e399a 28238->28241 28242 7ff6414e3989 28238->28242 28240 7ff6414e3a8a 28243 7ff641512320 _handle_error 8 API calls 28240->28243 28245 7ff6414e39a3 28241->28245 28246 7ff6414e39ec 28241->28246 28303 7ff641500d54 33 API calls 28242->28303 28244 7ff6414e3a9e 28243->28244 28244->28228 28304 7ff641500c80 33 API calls 28245->28304 28305 7ff6414e26b4 33 API calls memcpy_s 28246->28305 28247 7ff6414e3ab3 28249 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 28247->28249 28251 7ff6414e3ab8 28249->28251 28255 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 28251->28255 28252 7ff6414e39b0 28256 7ff6414e1fa0 31 API calls 28252->28256 28260 7ff6414e39c0 memcpy_s 28252->28260 28254 7ff6414e3a13 28306 7ff641500ae8 34 API calls _invalid_parameter_noinfo_noreturn 28254->28306 28259 7ff6414e3abe 28255->28259 28256->28260 28257 7ff6414e1fa0 31 API calls 28261 7ff6414e394f 28257->28261 28260->28257 28261->28240 28261->28247 28261->28251 28263 7ff6414fe811 28262->28263 28264 7ff6414fe82b 28263->28264 28268 7ff6414eb664 RtlPcToFileHeader RaiseException _com_raise_error 28263->28268 28265 7ff6414fe845 SetThreadExecutionState 28264->28265 28269 7ff6414eb664 RtlPcToFileHeader RaiseException _com_raise_error 28264->28269 28268->28264 28269->28265 28271 7ff6414e6a96 _snwprintf 28270->28271 28272 7ff6414e6ae4 28271->28272 28273 7ff6414e6ac4 28271->28273 28274 7ff6414e6d4d 28272->28274 28278 7ff6414e6b0f 28272->28278 28345 7ff6414e28a4 82 API calls 2 library calls 28273->28345 28374 7ff6414e28a4 82 API calls 2 library calls 28274->28374 28277 7ff6414e6ad0 28279 7ff641512320 _handle_error 8 API calls 28277->28279 28278->28277 28307 7ff641501f94 28278->28307 28280 7ff6414e394b 28279->28280 28280->28238 28280->28261 28302 7ff6414e2794 33 API calls __std_swap_ranges_trivially_swappable 28280->28302 28283 7ff6414e6b85 28284 7ff6414e6c2a 28283->28284 28301 7ff6414e6b7b 28283->28301 28351 7ff6414f8968 109 API calls 28283->28351 28316 7ff6414f4760 28284->28316 28285 7ff6414e6b6e 28346 7ff6414e28a4 82 API calls 2 library calls 28285->28346 28286 7ff6414e6b80 28286->28283 28347 7ff6414e40b0 28286->28347 28292 7ff6414e6c52 28293 7ff6414e6cd1 28292->28293 28294 7ff6414e6cc7 28292->28294 28352 7ff641501f20 28293->28352 28320 7ff6414f1794 28294->28320 28297 7ff6414e6ccf 28372 7ff6414f4700 8 API calls _handle_error 28297->28372 28299 7ff6414e6cfd 28299->28301 28373 7ff6414e433c 82 API calls 2 library calls 28299->28373 28335 7ff641501870 28301->28335 28302->28238 28303->28261 28304->28252 28305->28254 28306->28261 28308 7ff641502056 std::bad_alloc::bad_alloc 28307->28308 28310 7ff641501fc5 std::bad_alloc::bad_alloc 28307->28310 28309 7ff641514078 _com_raise_error 2 API calls 28308->28309 28309->28310 28311 7ff641514078 _com_raise_error 2 API calls 28310->28311 28312 7ff64150200f std::bad_alloc::bad_alloc 28310->28312 28313 7ff6414e6b59 28310->28313 28311->28312 28312->28313 28314 7ff641514078 _com_raise_error 2 API calls 28312->28314 28313->28283 28313->28285 28313->28286 28315 7ff6415020a9 28314->28315 28317 7ff6414f478a 28316->28317 28318 7ff6414f4780 28316->28318 28317->28292 28319 7ff6415121d0 33 API calls 28318->28319 28319->28317 28321 7ff6414f17be memcpy_s 28320->28321 28375 7ff6414f8a48 28321->28375 28323 7ff6414f1856 28323->28297 28324 7ff6414f17f2 28326 7ff6414f8a48 146 API calls 28324->28326 28327 7ff6414f1830 28324->28327 28385 7ff6414f8c4c 28324->28385 28326->28324 28327->28323 28336 7ff64150188e 28335->28336 28338 7ff6415018a1 28336->28338 28395 7ff6414fe948 28336->28395 28342 7ff6415018d8 28338->28342 28391 7ff64151236c 28338->28391 28340 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 28341 7ff641501ad0 28340->28341 28344 7ff641501a37 28342->28344 28402 7ff6414fa984 31 API calls _invalid_parameter_noinfo_noreturn 28342->28402 28344->28340 28345->28277 28346->28301 28348 7ff6414e40dd 28347->28348 28350 7ff6414e40d7 memcpy_s 28347->28350 28348->28350 28403 7ff6414e4120 33 API calls 2 library calls 28348->28403 28350->28283 28351->28284 28353 7ff641501f29 28352->28353 28354 7ff641501f55 28353->28354 28355 7ff641501f5d 28353->28355 28356 7ff641501f49 28353->28356 28436 7ff641503964 151 API calls 28354->28436 28355->28297 28404 7ff6415020ac 28356->28404 28364 7ff641504733 memcpy_s 28372->28299 28373->28301 28374->28277 28376 7ff6414f8a91 memcpy_s 28375->28376 28378 7ff6414f8bcd 28375->28378 28376->28378 28381 7ff64150612c 137 API calls 28376->28381 28382 7ff6414f8c1f 28376->28382 28383 7ff6414f4888 108 API calls 28376->28383 28384 7ff6414f28d0 104 API calls 28376->28384 28377 7ff6414f8c1a 28379 7ff6414fe808 SetThreadExecutionState RtlPcToFileHeader RaiseException 28377->28379 28378->28377 28380 7ff6414ea174 8 API calls 28378->28380 28379->28382 28380->28377 28381->28376 28382->28324 28383->28376 28384->28376 28386 7ff6414f8c8b 28385->28386 28390 7ff6414f8c72 memcpy_s 28385->28390 28386->28390 28392 7ff64151239f 28391->28392 28393 7ff6415123c8 28392->28393 28394 7ff641501870 108 API calls 28392->28394 28393->28342 28394->28392 28396 7ff6414fecd8 103 API calls 28395->28396 28397 7ff6414fe95f ReleaseSemaphore 28396->28397 28398 7ff6414fe984 28397->28398 28399 7ff6414fe9a3 DeleteCriticalSection CloseHandle CloseHandle 28397->28399 28400 7ff6414fea5c 101 API calls 28398->28400 28401 7ff6414fe98e CloseHandle 28400->28401 28401->28398 28401->28399 28402->28344 28406 7ff6415020c8 memcpy_s 28404->28406 28405 7ff6415021ba 28405->28364 28406->28405 28407 7ff6415124a0 33 API calls 28406->28407 28408 7ff641502155 memcpy_s 28406->28408 28407->28408 28408->28405 28409 7ff6414eb75c 82 API calls 28408->28409 28409->28408 28436->28355 28441 7ff6414f8882 28440->28441 28442 7ff6414f8892 28440->28442 28447 7ff6414f23f0 28441->28447 28442->27970 28445 7ff641512320 _handle_error 8 API calls 28444->28445 28446 7ff6414ef7dc 28445->28446 28446->27868 28446->27973 28448 7ff6414f240f 28447->28448 28451 7ff6414f2aa0 101 API calls 28448->28451 28449 7ff6414f2428 28452 7ff6414f2bb0 101 API calls 28449->28452 28450 7ff6414f2438 28450->28442 28451->28449 28452->28450 28454 7ff64150fc94 28453->28454 28455 7ff6414e129c 33 API calls 28454->28455 28456 7ff64150fca4 28455->28456 28457 7ff64150f0a4 24 API calls 28456->28457 28458 7ff64150fcb1 28457->28458 28459 7ff64150fceb 28458->28459 28461 7ff64150fd03 28458->28461 28460 7ff641512320 _handle_error 8 API calls 28459->28460 28463 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 28461->28463 28466 7ff6414e5e67 28465->28466 28529 7ff6414f85f0 28466->28529 28468 7ff6414e6134 28539 7ff6414e6fcc 82 API calls 28468->28539 28470 7ff6414e613c 28471 7ff6414e69af 28470->28471 28473 7ff6414e69e4 28470->28473 28483 7ff6414e69ef 28470->28483 28472 7ff641512320 _handle_error 8 API calls 28471->28472 28475 7ff6414e69c3 28472->28475 28477 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 28473->28477 28474 7ff6414e6973 28552 7ff6414e466c 82 API calls 28474->28552 28475->27996 28476 7ff6414e612e 28476->28468 28476->28474 28480 7ff6414f85f0 104 API calls 28476->28480 28479 7ff6414e69e9 28477->28479 28482 7ff6414e61a4 28480->28482 28482->28468 28486 7ff6414e61ac 28482->28486 28484 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 28483->28484 28485 7ff6414e69f5 28484->28485 28488 7ff6414e623f 28486->28488 28540 7ff6414e466c 82 API calls 28486->28540 28488->28474 28489 7ff6414e6266 28488->28489 28492 7ff6414e62ce 28489->28492 28493 7ff6414e68b7 28489->28493 28527->27996 28530 7ff6414f8614 28529->28530 28531 7ff6414f869a 28529->28531 28532 7ff6414f867c 28530->28532 28534 7ff6414e40b0 33 API calls 28530->28534 28531->28532 28533 7ff6414e40b0 33 API calls 28531->28533 28532->28476 28535 7ff6414f86b3 28533->28535 28536 7ff6414f864d 28534->28536 28538 7ff6414f28d0 104 API calls 28535->28538 28553 7ff6414ea174 28536->28553 28538->28532 28539->28470 28554 7ff6414ea185 28553->28554 28555 7ff6414ea19a 28554->28555 28557 7ff6414faf18 8 API calls 2 library calls 28554->28557 28555->28532 28557->28555 28564 7ff6414e9be7 28558->28564 28559 7ff6414e9c1b 28560 7ff641512320 _handle_error 8 API calls 28559->28560 28561 7ff6414e9c9d 28560->28561 28561->28013 28563 7ff6414e9c83 28565 7ff6414e1fa0 31 API calls 28563->28565 28564->28559 28564->28563 28567 7ff6414e9cae 28564->28567 28693 7ff6414f5294 28564->28693 28711 7ff6414fdb60 28564->28711 28565->28559 28568 7ff6414e9cbf 28567->28568 28715 7ff6414fda48 CompareStringW 28567->28715 28568->28563 28570 7ff6414e20b0 33 API calls 28568->28570 28570->28563 28581 7ff6414f5f3a 28571->28581 28572 7ff6414f619b 28573 7ff641512320 _handle_error 8 API calls 28572->28573 28575 7ff6414efb29 28573->28575 28574 7ff6414f61ce 28719 7ff6414e704c 47 API calls memcpy_s 28574->28719 28575->28017 28644 7ff6414f7c94 47 API calls 2 library calls 28575->28644 28577 7ff6414e129c 33 API calls 28579 7ff6414f6129 28577->28579 28578 7ff6414f61d4 28580 7ff6414e1fa0 31 API calls 28579->28580 28582 7ff6414f613b memcpy_s 28579->28582 28580->28582 28581->28572 28581->28574 28581->28577 28582->28572 28583 7ff6414f61c9 28582->28583 28584 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 28583->28584 28584->28574 28643->28004 28644->28018 28691->28061 28692->28061 28694 7ff6414f52d4 28693->28694 28699 7ff6414f5312 __vcrt_FlsAlloc 28694->28699 28707 7ff6414f5339 __vcrt_FlsAlloc 28694->28707 28716 7ff6415013f4 CompareStringW 28694->28716 28695 7ff641512320 _handle_error 8 API calls 28696 7ff6414f5503 28695->28696 28696->28564 28700 7ff6414f5382 __vcrt_FlsAlloc 28699->28700 28699->28707 28717 7ff6415013f4 CompareStringW 28699->28717 28701 7ff6414f5439 28700->28701 28702 7ff6414e129c 33 API calls 28700->28702 28700->28707 28705 7ff6414f551b 28701->28705 28706 7ff6414f5489 28701->28706 28703 7ff6414f5426 28702->28703 28704 7ff6414f72cc 8 API calls 28703->28704 28704->28701 28709 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 28705->28709 28706->28707 28718 7ff6415013f4 CompareStringW 28706->28718 28707->28695 28710 7ff6414f5520 28709->28710 28713 7ff6414fdb73 28711->28713 28712 7ff6414fdb91 28712->28564 28713->28712 28714 7ff6414e20b0 33 API calls 28713->28714 28714->28712 28715->28568 28716->28699 28717->28700 28718->28707 28719->28578 28777->28178 28778->28184 28779->28188 28781 7ff6414f87af 28780->28781 28792 7ff6414f87df 28780->28792 28782 7ff64151236c 108 API calls 28781->28782 28784 7ff6414f87ca 28782->28784 28787 7ff64151236c 108 API calls 28784->28787 28785 7ff64151236c 108 API calls 28788 7ff6414f8814 28785->28788 28786 7ff6414f8845 28789 7ff6414f461c 108 API calls 28786->28789 28787->28792 28790 7ff64151236c 108 API calls 28788->28790 28791 7ff6414f8851 28789->28791 28793 7ff6414f882b 28790->28793 28792->28785 28792->28793 28794 7ff6414f461c 28793->28794 28795 7ff6414f4632 28794->28795 28797 7ff6414f463a 28794->28797 28796 7ff6414fe948 108 API calls 28795->28796 28796->28797 28797->28786 28799 7ff6414f163e 28798->28799 28802 7ff6414f1681 28798->28802 28799->28802 28803 7ff6414f31bc 51 API calls 28799->28803 28800 7ff6414f16a0 28801 7ff6414ee600 31 API calls 28800->28801 28805 7ff6414f16de 28801->28805 28802->28800 28804 7ff6414e1fa0 31 API calls 28802->28804 28803->28799 28804->28802 28807 7ff6414f178d 28805->28807 28808 7ff6414f175b 28805->28808 28806 7ff641512320 _handle_error 8 API calls 28809 7ff6414ee58a 28806->28809 28810 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 28807->28810 28808->28806 28809->27792 28809->27794 28811 7ff6414f1792 28810->28811 28812->27457 28813->27463 28814->27466 26041 7ff641512d6c 26066 7ff6415127fc 26041->26066 26044 7ff641512eb8 26164 7ff641513170 7 API calls 2 library calls 26044->26164 26045 7ff641512d88 __scrt_acquire_startup_lock 26047 7ff641512ec2 26045->26047 26049 7ff641512da6 26045->26049 26165 7ff641513170 7 API calls 2 library calls 26047->26165 26050 7ff641512dcb 26049->26050 26057 7ff641512de8 __scrt_release_startup_lock 26049->26057 26074 7ff64151cd90 26049->26074 26051 7ff641512ecd abort 26053 7ff641512e51 26078 7ff6415132bc 26053->26078 26055 7ff641512e56 26081 7ff64151cd20 26055->26081 26057->26053 26161 7ff64151c050 35 API calls __GSHandlerCheck_EH 26057->26161 26166 7ff641512fb0 26066->26166 26069 7ff64151282b 26168 7ff64151cc50 26069->26168 26070 7ff641512827 26070->26044 26070->26045 26075 7ff64151cdeb 26074->26075 26076 7ff64151cdcc 26074->26076 26075->26057 26076->26075 26185 7ff6414e1120 26076->26185 26228 7ff641513cf0 26078->26228 26080 7ff6415132d3 GetStartupInfoW 26080->26055 26230 7ff641520730 26081->26230 26083 7ff64151cd2f 26084 7ff641512e5e 26083->26084 26234 7ff641520ac0 35 API calls _snwprintf 26083->26234 26086 7ff641510754 26084->26086 26236 7ff6414fdfd0 26086->26236 26090 7ff64151079a 26323 7ff64150946c 26090->26323 26092 7ff6415107a4 memcpy_s 26328 7ff641509a14 26092->26328 26094 7ff64151096e GetCommandLineW 26097 7ff641510980 26094->26097 26136 7ff641510b42 26094->26136 26095 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 26096 7ff641510de2 26095->26096 26101 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 26096->26101 26411 7ff6414e129c 26097->26411 26099 7ff641510819 26099->26094 26143 7ff641510ddc 26099->26143 26100 7ff641510b51 26104 7ff6414e1fa0 31 API calls 26100->26104 26108 7ff641510b68 memcpy_s 26100->26108 26118 7ff641510de8 26101->26118 26103 7ff6415109a5 26421 7ff64150cad0 102 API calls 3 library calls 26103->26421 26104->26108 26105 7ff6414e1fa0 31 API calls 26109 7ff641510b93 SetEnvironmentVariableW GetLocalTime 26105->26109 26108->26105 26350 7ff6414f3e28 26109->26350 26110 7ff6415109af 26110->26096 26114 7ff6415109f9 OpenFileMappingW 26110->26114 26120 7ff641510adb 26110->26120 26116 7ff641510a19 MapViewOfFile 26114->26116 26117 7ff641510ad0 CloseHandle 26114->26117 26116->26117 26121 7ff641510a3f UnmapViewOfFile MapViewOfFile 26116->26121 26117->26136 26385 7ff641511900 26118->26385 26123 7ff6414e129c 33 API calls 26120->26123 26121->26117 26124 7ff641510a71 26121->26124 26122 7ff641510c75 26378 7ff6415067b4 26122->26378 26126 7ff641510b00 26123->26126 26422 7ff64150a190 33 API calls 2 library calls 26124->26422 26426 7ff64150fd0c 35 API calls 2 library calls 26126->26426 26130 7ff641510a81 26423 7ff64150fd0c 35 API calls 2 library calls 26130->26423 26132 7ff6415067b4 33 API calls 26135 7ff641510c87 DialogBoxParamW 26132->26135 26133 7ff641510b0a 26133->26136 26138 7ff641510dd7 26133->26138 26134 7ff641510a90 26424 7ff6414fb9b4 102 API calls 26134->26424 26144 7ff641510cd3 26135->26144 26338 7ff6414f6454 26136->26338 26141 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 26138->26141 26139 7ff641510aa5 26425 7ff6414fbb00 102 API calls 26139->26425 26141->26143 26142 7ff641510ab8 26147 7ff641510ac7 UnmapViewOfFile 26142->26147 26143->26095 26145 7ff641510ce6 Sleep 26144->26145 26146 7ff641510cec 26144->26146 26145->26146 26148 7ff641510cfa 26146->26148 26427 7ff641509f4c 49 API calls 2 library calls 26146->26427 26147->26117 26150 7ff641510d06 DeleteObject 26148->26150 26151 7ff641510d1f DeleteObject 26150->26151 26152 7ff641510d25 26150->26152 26151->26152 26153 7ff641510d5b 26152->26153 26154 7ff641510d6d 26152->26154 26428 7ff64150fe24 PeekMessageW GetMessageW TranslateMessage DispatchMessageW WaitForSingleObject 26153->26428 26381 7ff6415094e4 26154->26381 26157 7ff641510d60 CloseHandle 26157->26154 26161->26053 26164->26047 26165->26051 26167 7ff64151281e __scrt_dllmain_crt_thread_attach 26166->26167 26167->26069 26167->26070 26169 7ff641520d4c 26168->26169 26170 7ff641512830 26169->26170 26173 7ff64151ec00 26169->26173 26170->26070 26172 7ff6415151a0 7 API calls 2 library calls 26170->26172 26172->26070 26184 7ff64151f398 EnterCriticalSection 26173->26184 26190 7ff6414e91c8 26185->26190 26189 7ff641512a01 26189->26076 26198 7ff6414f56a4 26190->26198 26192 7ff6414e91df 26201 7ff6414fb788 26192->26201 26196 7ff6414e1130 26197 7ff6415129bc 34 API calls 26196->26197 26197->26189 26207 7ff6414f56e8 26198->26207 26216 7ff6414e13a4 26201->26216 26204 7ff6414e9a28 26205 7ff6414f56e8 2 API calls 26204->26205 26206 7ff6414e9a36 26205->26206 26206->26196 26208 7ff6414f56fe memcpy_s 26207->26208 26211 7ff6414feba4 26208->26211 26214 7ff6414feb58 GetCurrentProcess GetProcessAffinityMask 26211->26214 26215 7ff6414f56de 26214->26215 26215->26192 26217 7ff6414e13ad 26216->26217 26225 7ff6414e142d 26216->26225 26218 7ff6414e13ce 26217->26218 26219 7ff6414e143d 26217->26219 26222 7ff6415121d0 33 API calls 26218->26222 26223 7ff6414e13db memcpy_s 26218->26223 26227 7ff6414e2018 33 API calls std::_Xinvalid_argument 26219->26227 26222->26223 26226 7ff6414e197c 31 API calls _invalid_parameter_noinfo_noreturn 26223->26226 26225->26204 26226->26225 26229 7ff641513cd0 26228->26229 26229->26080 26229->26229 26231 7ff64152073d 26230->26231 26233 7ff641520749 26230->26233 26235 7ff641520570 48 API calls 4 library calls 26231->26235 26233->26083 26234->26083 26235->26233 26429 7ff641512450 26236->26429 26239 7ff6414fe07b 26241 7ff6414fe503 26239->26241 26462 7ff64151b788 39 API calls _snwprintf 26239->26462 26240 7ff6414fe026 GetProcAddress 26242 7ff6414fe053 GetProcAddress 26240->26242 26243 7ff6414fe03b 26240->26243 26245 7ff6414f6454 34 API calls 26241->26245 26242->26239 26246 7ff6414fe068 26242->26246 26243->26242 26248 7ff6414fe50c 26245->26248 26246->26239 26247 7ff6414fe3b0 26247->26241 26249 7ff6414fe3ba 26247->26249 26431 7ff6414f7df4 26248->26431 26251 7ff6414f6454 34 API calls 26249->26251 26252 7ff6414fe3c3 CreateFileW 26251->26252 26254 7ff6414fe403 SetFilePointer 26252->26254 26255 7ff6414fe4f0 CloseHandle 26252->26255 26254->26255 26256 7ff6414fe41c ReadFile 26254->26256 26257 7ff6414e1fa0 31 API calls 26255->26257 26256->26255 26258 7ff6414fe444 26256->26258 26257->26241 26259 7ff6414fe800 26258->26259 26260 7ff6414fe458 26258->26260 26468 7ff641512624 8 API calls 26259->26468 26265 7ff6414e129c 33 API calls 26260->26265 26262 7ff6414fe805 26263 7ff6414fe53e CompareStringW 26277 7ff6414fe51a 26263->26277 26264 7ff6414e129c 33 API calls 26264->26277 26270 7ff6414fe48f 26265->26270 26268 7ff6414fe63a 26271 7ff6414fe7c2 26268->26271 26272 7ff6414fe648 26268->26272 26269 7ff6414e1fa0 31 API calls 26269->26277 26274 7ff6414fe4db 26270->26274 26463 7ff6414fd0a0 33 API calls 26270->26463 26276 7ff6414e1fa0 31 API calls 26271->26276 26464 7ff6414f7eb0 47 API calls 26272->26464 26278 7ff6414e1fa0 31 API calls 26274->26278 26280 7ff6414fe7cb 26276->26280 26277->26263 26277->26264 26277->26269 26297 7ff6414fe5cc 26277->26297 26439 7ff6414f51a4 26277->26439 26444 7ff6414f8090 26277->26444 26448 7ff6414f32bc 26277->26448 26281 7ff6414fe4e5 26278->26281 26279 7ff6414fe651 26282 7ff6414f51a4 9 API calls 26279->26282 26284 7ff6414e1fa0 31 API calls 26280->26284 26285 7ff6414e1fa0 31 API calls 26281->26285 26286 7ff6414fe656 26282->26286 26283 7ff6414e129c 33 API calls 26283->26297 26287 7ff6414fe7d5 26284->26287 26285->26255 26288 7ff6414fe706 26286->26288 26298 7ff6414fe661 26286->26298 26290 7ff641512320 _handle_error 8 API calls 26287->26290 26291 7ff6414fda98 48 API calls 26288->26291 26289 7ff6414f8090 47 API calls 26289->26297 26292 7ff6414fe7e4 26290->26292 26293 7ff6414fe74b AllocConsole 26291->26293 26313 7ff6414f62dc GetCurrentDirectoryW 26292->26313 26295 7ff6414fe755 GetCurrentProcessId AttachConsole 26293->26295 26296 7ff6414fe6fb 26293->26296 26294 7ff6414e1fa0 31 API calls 26294->26297 26299 7ff6414fe76c 26295->26299 26467 7ff6414e19e0 31 API calls _invalid_parameter_noinfo_noreturn 26296->26467 26297->26268 26297->26283 26297->26289 26297->26294 26300 7ff6414f32bc 51 API calls 26297->26300 26301 7ff6414faae0 48 API calls 26298->26301 26306 7ff6414fe778 GetStdHandle WriteConsoleW Sleep FreeConsole 26299->26306 26300->26297 26303 7ff6414fe6a5 26301->26303 26305 7ff6414fda98 48 API calls 26303->26305 26304 7ff6414fe7b9 ExitProcess 26307 7ff6414fe6c3 26305->26307 26306->26296 26308 7ff6414faae0 48 API calls 26307->26308 26309 7ff6414fe6ce 26308->26309 26465 7ff6414fdc2c 33 API calls 26309->26465 26311 7ff6414fe6da 26466 7ff6414e19e0 31 API calls _invalid_parameter_noinfo_noreturn 26311->26466 26314 7ff6414f6300 26313->26314 26320 7ff6414f638d 26313->26320 26315 7ff6414e13a4 33 API calls 26314->26315 26316 7ff6414f631b GetCurrentDirectoryW 26315->26316 26317 7ff6414f6341 26316->26317 26569 7ff6414e20b0 26317->26569 26319 7ff6414f634f 26319->26320 26321 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 26319->26321 26320->26090 26322 7ff6414f63a9 26321->26322 26324 7ff6414fdd88 26323->26324 26325 7ff641509481 OleInitialize 26324->26325 26326 7ff6415094a7 26325->26326 26327 7ff6415094cd SHGetMalloc 26326->26327 26327->26092 26329 7ff641509a49 26328->26329 26330 7ff641509a4e memcpy_s 26328->26330 26331 7ff6414e1fa0 31 API calls 26329->26331 26332 7ff6414e1fa0 31 API calls 26330->26332 26334 7ff641509a7d memcpy_s 26330->26334 26331->26330 26332->26334 26333 7ff641509aac memcpy_s 26336 7ff6414e1fa0 31 API calls 26333->26336 26337 7ff641509adb memcpy_s 26333->26337 26334->26333 26335 7ff6414e1fa0 31 API calls 26334->26335 26335->26333 26336->26337 26337->26099 26339 7ff6414e13a4 33 API calls 26338->26339 26340 7ff6414f6489 26339->26340 26341 7ff6414f648c GetModuleFileNameW 26340->26341 26344 7ff6414f64dc 26340->26344 26342 7ff6414f64de 26341->26342 26343 7ff6414f64a7 26341->26343 26342->26344 26343->26340 26345 7ff6414e129c 33 API calls 26344->26345 26347 7ff6414f6506 26345->26347 26346 7ff6414f653e 26346->26100 26347->26346 26348 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 26347->26348 26349 7ff6414f6560 26348->26349 26351 7ff6414f3e4d _snwprintf 26350->26351 26352 7ff641519ef0 swprintf 46 API calls 26351->26352 26353 7ff6414f3e69 SetEnvironmentVariableW GetModuleHandleW LoadIconW 26352->26353 26354 7ff64150b014 LoadBitmapW 26353->26354 26355 7ff64150b046 26354->26355 26356 7ff64150b03e 26354->26356 26358 7ff64150b04e GetObjectW 26355->26358 26359 7ff64150b063 26355->26359 26574 7ff641508624 FindResourceW 26356->26574 26358->26359 26589 7ff64150849c 26359->26589 26362 7ff64150b0ce 26373 7ff6414f98ac 26362->26373 26363 7ff64150b09e 26594 7ff641508504 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 26363->26594 26364 7ff641508624 11 API calls 26366 7ff64150b08a 26364->26366 26366->26363 26368 7ff64150b092 DeleteObject 26366->26368 26367 7ff64150b0a7 26595 7ff6415084cc 26367->26595 26368->26363 26372 7ff64150b0bf DeleteObject 26372->26362 26602 7ff6414f98dc 26373->26602 26375 7ff6414f98ba 26669 7ff6414fa43c GetModuleHandleW FindResourceW 26375->26669 26377 7ff6414f98c2 26377->26122 26379 7ff6415121d0 33 API calls 26378->26379 26380 7ff6415067fa 26379->26380 26380->26132 26382 7ff641509501 26381->26382 26383 7ff64150950a OleUninitialize 26382->26383 26384 7ff64154e330 26383->26384 26751 7ff641511558 26385->26751 26388 7ff64151198b 26389 7ff641511868 DloadReleaseSectionWriteAccess 6 API calls 26388->26389 26390 7ff641511998 RaiseException 26389->26390 26391 7ff641511bb5 26390->26391 26391->26118 26392 7ff641511a3d LoadLibraryExA 26394 7ff641511aa9 26392->26394 26395 7ff641511a54 GetLastError 26392->26395 26393 7ff641511b85 26759 7ff641511868 26393->26759 26398 7ff641511ab4 FreeLibrary 26394->26398 26401 7ff641511abd 26394->26401 26396 7ff641511a69 26395->26396 26397 7ff641511a7e 26395->26397 26396->26394 26396->26397 26403 7ff641511868 DloadReleaseSectionWriteAccess 6 API calls 26397->26403 26398->26401 26399 7ff6415119b4 26399->26392 26399->26393 26399->26394 26399->26401 26400 7ff641511b1b GetProcAddress 26400->26393 26404 7ff641511b30 GetLastError 26400->26404 26401->26393 26401->26400 26405 7ff641511a8b RaiseException 26403->26405 26406 7ff641511b45 26404->26406 26405->26391 26406->26393 26407 7ff641511868 DloadReleaseSectionWriteAccess 6 API calls 26406->26407 26408 7ff641511b67 RaiseException 26407->26408 26409 7ff641511558 _com_raise_error 6 API calls 26408->26409 26410 7ff641511b81 26409->26410 26410->26393 26412 7ff6414e12d0 26411->26412 26413 7ff6414e139b 26411->26413 26416 7ff6414e1396 26412->26416 26417 7ff6414e1338 26412->26417 26420 7ff6414e12de memcpy_s 26412->26420 26781 7ff6414e2004 33 API calls std::_Xinvalid_argument 26413->26781 26780 7ff6414e1f80 33 API calls 3 library calls 26416->26780 26419 7ff6415121d0 33 API calls 26417->26419 26417->26420 26419->26420 26420->26103 26421->26110 26422->26130 26423->26134 26424->26139 26425->26142 26426->26133 26427->26148 26428->26157 26430 7ff6414fdff4 GetModuleHandleW 26429->26430 26430->26239 26430->26240 26432 7ff6414f7e0c 26431->26432 26433 7ff6414f7e55 26432->26433 26434 7ff6414f7e23 26432->26434 26469 7ff6414e704c 47 API calls memcpy_s 26433->26469 26437 7ff6414e129c 33 API calls 26434->26437 26436 7ff6414f7e5a 26438 7ff6414f7e47 26437->26438 26438->26277 26440 7ff6414f51c8 GetVersionExW 26439->26440 26441 7ff6414f51fb 26439->26441 26440->26441 26442 7ff641512320 _handle_error 8 API calls 26441->26442 26443 7ff6414f5228 26442->26443 26443->26277 26445 7ff6414f80a5 26444->26445 26470 7ff6414f8188 26445->26470 26447 7ff6414f80ca 26447->26277 26449 7ff6414f32e4 26448->26449 26450 7ff6414f32e7 GetFileAttributesW 26448->26450 26449->26450 26451 7ff6414f32f8 26450->26451 26457 7ff6414f3375 26450->26457 26479 7ff6414f6a0c 26451->26479 26453 7ff641512320 _handle_error 8 API calls 26455 7ff6414f3389 26453->26455 26455->26277 26456 7ff6414f3323 GetFileAttributesW 26458 7ff6414f333c 26456->26458 26457->26453 26458->26457 26459 7ff6414f3399 26458->26459 26460 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 26459->26460 26461 7ff6414f339e 26460->26461 26462->26247 26463->26270 26464->26279 26465->26311 26466->26296 26467->26304 26468->26262 26469->26436 26471 7ff6414f8326 26470->26471 26475 7ff6414f81ba 26470->26475 26478 7ff6414e704c 47 API calls memcpy_s 26471->26478 26473 7ff6414f832b 26474 7ff6414f81d4 memcpy_s 26474->26447 26475->26474 26477 7ff6414f58a4 33 API calls 2 library calls 26475->26477 26477->26474 26478->26473 26480 7ff6414f6a4b 26479->26480 26497 7ff6414f6a44 26479->26497 26482 7ff6414e129c 33 API calls 26480->26482 26481 7ff641512320 _handle_error 8 API calls 26483 7ff6414f331f 26481->26483 26484 7ff6414f6a76 26482->26484 26483->26456 26483->26458 26485 7ff6414f6a96 26484->26485 26486 7ff6414f6cc7 26484->26486 26488 7ff6414f6ab0 26485->26488 26510 7ff6414f6b49 26485->26510 26487 7ff6414f62dc 35 API calls 26486->26487 26490 7ff6414f6ce6 26487->26490 26489 7ff6414f70ab 26488->26489 26552 7ff6414ec098 33 API calls 2 library calls 26488->26552 26564 7ff6414e2004 33 API calls std::_Xinvalid_argument 26489->26564 26491 7ff6414f6eef 26490->26491 26494 7ff6414f6d1b 26490->26494 26549 7ff6414f6b44 26490->26549 26493 7ff6414f70cf 26491->26493 26561 7ff6414ec098 33 API calls 2 library calls 26491->26561 26567 7ff6414e2004 33 API calls std::_Xinvalid_argument 26493->26567 26500 7ff6414f70bd 26494->26500 26555 7ff6414ec098 33 API calls 2 library calls 26494->26555 26495 7ff6414f70b1 26508 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 26495->26508 26497->26481 26498 7ff6414f6b03 26511 7ff6414e1fa0 31 API calls 26498->26511 26518 7ff6414f6b15 memcpy_s 26498->26518 26565 7ff6414e2004 33 API calls std::_Xinvalid_argument 26500->26565 26501 7ff6414f70d5 26503 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 26501->26503 26509 7ff6414f70db 26503->26509 26504 7ff6414f70a6 26515 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 26504->26515 26505 7ff6414f6f56 26562 7ff6414e11cc 33 API calls memcpy_s 26505->26562 26516 7ff6414f70b7 26508->26516 26522 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 26509->26522 26517 7ff6414e129c 33 API calls 26510->26517 26510->26549 26511->26518 26513 7ff6414f70c3 26525 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 26513->26525 26514 7ff6414e1fa0 31 API calls 26514->26549 26515->26489 26520 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 26516->26520 26523 7ff6414f6bbe 26517->26523 26518->26514 26519 7ff6414f6f69 26563 7ff6414f57ac 33 API calls memcpy_s 26519->26563 26520->26500 26521 7ff6414e1fa0 31 API calls 26535 7ff6414f6df5 26521->26535 26526 7ff6414f70e1 26522->26526 26553 7ff6414f5820 33 API calls 26523->26553 26528 7ff6414f70c9 26525->26528 26566 7ff6414e704c 47 API calls memcpy_s 26528->26566 26529 7ff6414f6d76 memcpy_s 26529->26513 26529->26521 26530 7ff6414f6bd3 26554 7ff6414ee164 33 API calls 2 library calls 26530->26554 26531 7ff6414e1fa0 31 API calls 26534 7ff6414f6fec 26531->26534 26537 7ff6414e1fa0 31 API calls 26534->26537 26540 7ff6414f6e21 26535->26540 26556 7ff6414e1744 33 API calls 4 library calls 26535->26556 26536 7ff6414f6f79 memcpy_s 26536->26509 26536->26531 26539 7ff6414f6ff6 26537->26539 26538 7ff6414e1fa0 31 API calls 26542 7ff6414f6c6d 26538->26542 26543 7ff6414e1fa0 31 API calls 26539->26543 26540->26528 26544 7ff6414e129c 33 API calls 26540->26544 26545 7ff6414e1fa0 31 API calls 26542->26545 26543->26549 26546 7ff6414f6ec2 26544->26546 26545->26549 26557 7ff6414e2034 26546->26557 26547 7ff6414f6be9 memcpy_s 26547->26516 26547->26538 26549->26495 26549->26497 26549->26501 26549->26504 26550 7ff6414f6edf 26551 7ff6414e1fa0 31 API calls 26550->26551 26551->26549 26552->26498 26553->26530 26554->26547 26555->26529 26556->26540 26558 7ff6414e2085 26557->26558 26560 7ff6414e2059 memcpy_s 26557->26560 26568 7ff6414e15b8 33 API calls 3 library calls 26558->26568 26560->26550 26561->26505 26562->26519 26563->26536 26566->26493 26568->26560 26570 7ff6414e20f6 26569->26570 26572 7ff6414e20cb memcpy_s 26569->26572 26573 7ff6414e1474 33 API calls 3 library calls 26570->26573 26572->26319 26573->26572 26575 7ff64150864f SizeofResource 26574->26575 26576 7ff64150879b 26574->26576 26575->26576 26577 7ff641508669 LoadResource 26575->26577 26576->26355 26577->26576 26578 7ff641508682 LockResource 26577->26578 26578->26576 26579 7ff641508697 GlobalAlloc 26578->26579 26579->26576 26580 7ff6415086b8 GlobalLock 26579->26580 26581 7ff641508792 GlobalFree 26580->26581 26582 7ff6415086ca memcpy_s 26580->26582 26581->26576 26583 7ff6415086d8 CreateStreamOnHGlobal 26582->26583 26584 7ff6415086f6 GdipAlloc 26583->26584 26585 7ff641508789 GlobalUnlock 26583->26585 26586 7ff64150870b 26584->26586 26585->26581 26586->26585 26587 7ff64150875a GdipCreateHBITMAPFromBitmap 26586->26587 26588 7ff641508772 26586->26588 26587->26588 26588->26585 26590 7ff6415084cc 4 API calls 26589->26590 26591 7ff6415084aa 26590->26591 26592 7ff6415084b9 26591->26592 26600 7ff641508504 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 26591->26600 26592->26362 26592->26363 26592->26364 26594->26367 26596 7ff6415084e3 26595->26596 26597 7ff6415084de 26595->26597 26599 7ff641508df4 16 API calls _handle_error 26596->26599 26601 7ff641508590 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 26597->26601 26599->26372 26600->26592 26601->26596 26605 7ff6414f98fe _snwprintf 26602->26605 26603 7ff6414f9973 26720 7ff6414f68b0 48 API calls 26603->26720 26605->26603 26607 7ff6414f9a89 26605->26607 26606 7ff6414e1fa0 31 API calls 26609 7ff6414f99fd 26606->26609 26607->26609 26612 7ff6414e20b0 33 API calls 26607->26612 26608 7ff6414f997d memcpy_s 26608->26606 26610 7ff6414fa42e 26608->26610 26671 7ff6414f24c0 26609->26671 26611 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 26610->26611 26613 7ff6414fa434 26611->26613 26612->26609 26617 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 26613->26617 26616 7ff6414f9a22 26618 7ff6414f204c 100 API calls 26616->26618 26620 7ff6414fa43a 26617->26620 26621 7ff6414f9a2b 26618->26621 26619 7ff6414f9b17 26689 7ff64151a450 26619->26689 26621->26613 26623 7ff6414f9a66 26621->26623 26628 7ff641512320 _handle_error 8 API calls 26623->26628 26624 7ff6414f9aad 26624->26619 26625 7ff6414f8e58 33 API calls 26624->26625 26625->26624 26627 7ff64151a450 31 API calls 26640 7ff6414f9b57 __vcrt_FlsAlloc 26627->26640 26629 7ff6414fa40e 26628->26629 26629->26375 26630 7ff6414f9c89 26632 7ff6414f2aa0 101 API calls 26630->26632 26643 7ff6414f9d5c 26630->26643 26634 7ff6414f9ca1 26632->26634 26635 7ff6414f28d0 104 API calls 26634->26635 26634->26643 26641 7ff6414f9cc9 26635->26641 26640->26630 26640->26643 26697 7ff6414f2bb0 26640->26697 26706 7ff6414f28d0 26640->26706 26711 7ff6414f2aa0 26640->26711 26641->26643 26664 7ff6414f9cd7 __vcrt_FlsAlloc 26641->26664 26721 7ff641500bbc MultiByteToWideChar 26641->26721 26716 7ff6414f204c 26643->26716 26644 7ff6414fa1ec 26656 7ff6414fa2c2 26644->26656 26727 7ff64151cf90 31 API calls 2 library calls 26644->26727 26646 7ff6414fa157 26646->26644 26724 7ff64151cf90 31 API calls 2 library calls 26646->26724 26648 7ff6414fa14b 26648->26375 26650 7ff6414fa2ae 26650->26656 26729 7ff6414f8cd0 33 API calls 2 library calls 26650->26729 26651 7ff6414fa249 26728 7ff64151b7bc 31 API calls _invalid_parameter_noinfo_noreturn 26651->26728 26652 7ff6414fa3a2 26653 7ff64151a450 31 API calls 26652->26653 26655 7ff6414fa3cb 26653->26655 26658 7ff64151a450 31 API calls 26655->26658 26656->26652 26660 7ff6414f8e58 33 API calls 26656->26660 26657 7ff6414fa16d 26725 7ff64151b7bc 31 API calls _invalid_parameter_noinfo_noreturn 26657->26725 26658->26643 26660->26656 26661 7ff6414fa1d8 26661->26644 26726 7ff6414f8cd0 33 API calls 2 library calls 26661->26726 26662 7ff641500f68 WideCharToMultiByte 26662->26664 26664->26643 26664->26644 26664->26646 26664->26648 26664->26662 26665 7ff6414fa429 26664->26665 26722 7ff6414faa88 45 API calls _snwprintf 26664->26722 26723 7ff64151a270 31 API calls 2 library calls 26664->26723 26730 7ff641512624 8 API calls 26665->26730 26670 7ff6414fa468 26669->26670 26670->26377 26672 7ff6414f24fd CreateFileW 26671->26672 26674 7ff6414f25ae GetLastError 26672->26674 26683 7ff6414f266e 26672->26683 26675 7ff6414f6a0c 49 API calls 26674->26675 26676 7ff6414f25dc 26675->26676 26677 7ff6414f25e0 CreateFileW GetLastError 26676->26677 26682 7ff6414f262c 26676->26682 26677->26682 26678 7ff6414f26b1 SetFileTime 26681 7ff6414f26cf 26678->26681 26679 7ff6414f2708 26680 7ff641512320 _handle_error 8 API calls 26679->26680 26684 7ff6414f271b 26680->26684 26681->26679 26685 7ff6414e20b0 33 API calls 26681->26685 26682->26683 26686 7ff6414f2736 26682->26686 26683->26678 26683->26681 26684->26616 26684->26624 26685->26679 26687 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 26686->26687 26688 7ff6414f273b 26687->26688 26690 7ff64151a47d 26689->26690 26696 7ff64151a492 26690->26696 26731 7ff64151d69c 15 API calls abort 26690->26731 26692 7ff64151a487 26732 7ff6415178e4 31 API calls _invalid_parameter_noinfo 26692->26732 26694 7ff641512320 _handle_error 8 API calls 26695 7ff6414f9b37 26694->26695 26695->26627 26696->26694 26698 7ff6414f2bcd 26697->26698 26699 7ff6414f2be9 26697->26699 26700 7ff6414f2bfb 26698->26700 26733 7ff6414eb9c4 99 API calls _com_raise_error 26698->26733 26699->26700 26702 7ff6414f2c01 SetFilePointer 26699->26702 26700->26640 26702->26700 26703 7ff6414f2c1e GetLastError 26702->26703 26703->26700 26704 7ff6414f2c28 26703->26704 26704->26700 26734 7ff6414eb9c4 99 API calls _com_raise_error 26704->26734 26708 7ff6414f28f6 26706->26708 26710 7ff6414f28fd 26706->26710 26707 7ff6414f2320 GetStdHandle ReadFile GetLastError GetLastError GetFileType 26707->26710 26708->26640 26710->26707 26710->26708 26735 7ff6414eb8a4 99 API calls _com_raise_error 26710->26735 26736 7ff6414f2778 26711->26736 26714 7ff6414f2ac7 26714->26640 26717 7ff6414f2066 26716->26717 26719 7ff6414f2072 26716->26719 26717->26719 26744 7ff6414f20d0 26717->26744 26720->26608 26721->26664 26722->26664 26723->26664 26724->26657 26725->26661 26726->26644 26727->26651 26728->26650 26729->26656 26730->26610 26731->26692 26732->26696 26742 7ff6414f2789 _snwprintf 26736->26742 26737 7ff6414f2890 SetFilePointer 26739 7ff6414f27b5 26737->26739 26741 7ff6414f28b8 GetLastError 26737->26741 26738 7ff641512320 _handle_error 8 API calls 26740 7ff6414f281d 26738->26740 26739->26738 26740->26714 26743 7ff6414eb9c4 99 API calls _com_raise_error 26740->26743 26741->26739 26742->26737 26742->26739 26745 7ff6414f20ea 26744->26745 26746 7ff6414f2102 26744->26746 26745->26746 26748 7ff6414f20f6 CloseHandle 26745->26748 26747 7ff6414f2126 26746->26747 26750 7ff6414eb544 99 API calls 26746->26750 26747->26719 26748->26746 26750->26747 26752 7ff64151156e 26751->26752 26758 7ff6415115d3 26751->26758 26767 7ff641511604 26752->26767 26755 7ff6415115ce 26757 7ff641511604 DloadReleaseSectionWriteAccess 3 API calls 26755->26757 26757->26758 26758->26388 26758->26399 26760 7ff6415118d1 26759->26760 26761 7ff641511878 26759->26761 26760->26391 26762 7ff641511604 DloadReleaseSectionWriteAccess 3 API calls 26761->26762 26763 7ff64151187d 26762->26763 26764 7ff6415118cc 26763->26764 26765 7ff6415117d8 DloadProtectSection 3 API calls 26763->26765 26766 7ff641511604 DloadReleaseSectionWriteAccess 3 API calls 26764->26766 26765->26764 26766->26760 26768 7ff64151161f 26767->26768 26769 7ff641511573 26767->26769 26768->26769 26770 7ff641511624 GetModuleHandleW 26768->26770 26769->26755 26774 7ff6415117d8 26769->26774 26771 7ff64151163e GetProcAddress 26770->26771 26772 7ff641511639 26770->26772 26771->26772 26773 7ff641511653 GetProcAddress 26771->26773 26772->26769 26773->26772 26777 7ff6415117fa DloadProtectSection 26774->26777 26775 7ff641511802 26775->26755 26776 7ff64151183a VirtualProtect 26776->26775 26777->26775 26777->26776 26779 7ff6415116a4 VirtualQuery GetSystemInfo 26777->26779 26779->26776 26780->26413 26796 7ff641510df5 14 API calls _com_raise_error 26823 7ff64151154b 26824 7ff6415114a2 26823->26824 26825 7ff641511900 _com_raise_error 14 API calls 26824->26825 26826 7ff6415114e1 26825->26826 26827 7ff64151d94c 26828 7ff64151d997 26827->26828 26832 7ff64151d95b abort 26827->26832 26834 7ff64151d69c 15 API calls abort 26828->26834 26830 7ff64151d97e HeapAlloc 26831 7ff64151d995 26830->26831 26830->26832 26832->26828 26832->26830 26833 7ff64151bbc0 abort 2 API calls 26832->26833 26833->26832 26834->26831 26782 7ff64151bf2c 26789 7ff64151bc34 26782->26789 26794 7ff64151d440 35 API calls 2 library calls 26789->26794 26791 7ff64151bc3f 26795 7ff64151d068 35 API calls abort 26791->26795 26794->26791 25855 7ff6415103e0 25856 7ff641510497 25855->25856 25857 7ff64151041f 25855->25857 25858 7ff6414faae0 48 API calls 25856->25858 25888 7ff6414faae0 25857->25888 25860 7ff6415104ab 25858->25860 25862 7ff6414fda98 48 API calls 25860->25862 25869 7ff641510442 memcpy_s 25862->25869 25865 7ff641510541 25885 7ff6414e250c 25865->25885 25867 7ff6415105cc 25870 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 25867->25870 25868 7ff6415105c6 25898 7ff641517904 25868->25898 25869->25867 25869->25868 25880 7ff6414e1fa0 25869->25880 25873 7ff6415105d2 25870->25873 25881 7ff6414e1fb3 25880->25881 25882 7ff6414e1fdc 25880->25882 25881->25882 25883 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 25881->25883 25882->25865 25884 7ff6414e2000 25883->25884 25886 7ff6414e2513 25885->25886 25887 7ff6414e2516 SetDlgItemTextW 25885->25887 25886->25887 25889 7ff6414faaf3 25888->25889 25903 7ff6414f9774 25889->25903 25892 7ff6414fab58 LoadStringW 25893 7ff6414fab86 25892->25893 25894 7ff6414fab71 LoadStringW 25892->25894 25895 7ff6414fda98 25893->25895 25894->25893 25940 7ff6414fd874 25895->25940 26033 7ff64151783c 31 API calls 3 library calls 25898->26033 25900 7ff64151791d 26034 7ff641517934 16 API calls abort 25900->26034 25910 7ff6414f9638 25903->25910 25905 7ff6414f97d9 25920 7ff641512320 25905->25920 25911 7ff6414f9692 25910->25911 25919 7ff6414f9730 25910->25919 25915 7ff6414f96c0 25911->25915 25933 7ff641500f68 WideCharToMultiByte 25911->25933 25913 7ff641512320 _handle_error 8 API calls 25914 7ff6414f9764 25913->25914 25914->25905 25929 7ff6414f9800 25914->25929 25918 7ff6414f96ef 25915->25918 25935 7ff6414faa88 45 API calls _snwprintf 25915->25935 25936 7ff64151a270 31 API calls 2 library calls 25918->25936 25919->25913 25921 7ff641512329 25920->25921 25922 7ff6414f97f2 25921->25922 25923 7ff641512550 IsProcessorFeaturePresent 25921->25923 25922->25892 25922->25893 25924 7ff641512568 25923->25924 25937 7ff641512744 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 25924->25937 25926 7ff64151257b 25938 7ff641512510 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 25926->25938 25930 7ff6414f9840 25929->25930 25932 7ff6414f9869 25929->25932 25939 7ff64151a270 31 API calls 2 library calls 25930->25939 25932->25905 25934 7ff641500faa 25933->25934 25934->25915 25935->25918 25936->25919 25937->25926 25939->25932 25956 7ff6414fd4d0 25940->25956 25945 7ff6414fd8e5 _snwprintf 25952 7ff6414fd974 25945->25952 25970 7ff641519ef0 25945->25970 25997 7ff6414e9d78 33 API calls 25945->25997 25947 7ff641512320 _handle_error 8 API calls 25949 7ff6414fda2b 25947->25949 25948 7ff6414fda17 25948->25947 25949->25869 25950 7ff6414fda3f 25951 7ff641517904 _invalid_parameter_noinfo_noreturn 31 API calls 25950->25951 25953 7ff6414fda44 25951->25953 25954 7ff6414fd9a3 25952->25954 25998 7ff6414e9d78 33 API calls 25952->25998 25954->25948 25954->25950 25957 7ff6414fd665 25956->25957 25959 7ff6414fd502 25956->25959 25960 7ff6414fcb80 25957->25960 25958 7ff6414e1744 33 API calls 25958->25959 25959->25957 25959->25958 25962 7ff6414fcbb6 25960->25962 25968 7ff6414fcc80 25960->25968 25964 7ff6414fcc20 25962->25964 25965 7ff6414fcc7b 25962->25965 25967 7ff6414fcbc6 25962->25967 25964->25967 25999 7ff6415121d0 25964->25999 26008 7ff6414e1f80 33 API calls 3 library calls 25965->26008 25967->25945 26009 7ff6414e2004 33 API calls std::_Xinvalid_argument 25968->26009 25971 7ff641519f36 25970->25971 25972 7ff641519f4e 25970->25972 26021 7ff64151d69c 15 API calls abort 25971->26021 25972->25971 25974 7ff641519f58 25972->25974 26023 7ff641517ef0 35 API calls 2 library calls 25974->26023 25976 7ff641519f3b 26022 7ff6415178e4 31 API calls _invalid_parameter_noinfo 25976->26022 25978 7ff641519f69 memcpy_s 26024 7ff641517e70 15 API calls memcpy_s 25978->26024 25979 7ff641512320 _handle_error 8 API calls 25980 7ff64151a10b 25979->25980 25980->25945 25982 7ff641519fd4 26025 7ff6415182f8 46 API calls 3 library calls 25982->26025 25984 7ff641519fdd 25985 7ff641519fe5 25984->25985 25986 7ff64151a014 25984->25986 26026 7ff64151d90c 25985->26026 25988 7ff64151a06c 25986->25988 25989 7ff64151a023 25986->25989 25990 7ff64151a092 25986->25990 25993 7ff64151a01a 25986->25993 25994 7ff64151d90c __free_lconv_num 15 API calls 25988->25994 25992 7ff64151d90c __free_lconv_num 15 API calls 25989->25992 25990->25988 25991 7ff64151a09c 25990->25991 25995 7ff64151d90c __free_lconv_num 15 API calls 25991->25995 25996 7ff641519f46 25992->25996 25993->25988 25993->25989 25994->25996 25995->25996 25996->25979 25997->25945 25998->25954 26000 7ff6415121db 25999->26000 26001 7ff6415121f4 26000->26001 26003 7ff6415121fa 26000->26003 26010 7ff64151bbc0 26000->26010 26001->25967 26004 7ff641512205 26003->26004 26013 7ff641512f7c RtlPcToFileHeader RaiseException _com_raise_error std::bad_alloc::bad_alloc 26003->26013 26014 7ff6414e1f80 33 API calls 3 library calls 26004->26014 26007 7ff64151220b 26008->25968 26015 7ff64151bc00 26010->26015 26013->26004 26014->26007 26020 7ff64151f398 EnterCriticalSection 26015->26020 26021->25976 26022->25996 26023->25978 26024->25982 26025->25984 26027 7ff64151d911 RtlFreeHeap 26026->26027 26031 7ff64151d941 __free_lconv_num 26026->26031 26028 7ff64151d92c 26027->26028 26027->26031 26032 7ff64151d69c 15 API calls abort 26028->26032 26030 7ff64151d931 GetLastError 26030->26031 26031->25996 26032->26030 26033->25900 26797 7ff6415120f0 26798 7ff641512106 _com_error::_com_error 26797->26798 26803 7ff641514078 26798->26803 26800 7ff641512117 26801 7ff641511900 _com_raise_error 14 API calls 26800->26801 26802 7ff641512163 26801->26802 26804 7ff641514097 26803->26804 26805 7ff6415140b4 RtlPcToFileHeader 26803->26805 26804->26805 26806 7ff6415140db RaiseException 26805->26806 26807 7ff6415140cc 26805->26807 26806->26800 26807->26806 26836 7ff6415111cf 26837 7ff641511102 26836->26837 26838 7ff641511900 _com_raise_error 14 API calls 26837->26838 26838->26837

                                                                        Executed Functions

                                                                        Function 00007FF64150B190 Relevance: 123.9, APIs: 60, Strings: 10, Instructions: 1421windowfilesleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: Item$Message$_invalid_parameter_noinfo_noreturn$Send$DialogText$File$ErrorLast$CloseFindFocusLoadStringViewWindow$CommandConcurrency::cancel_current_taskCountCreateDispatchEnableExecuteFirstHandleLineMappingParamShellSleepTickTranslateUnmap
                                                                        • String ID: %s %s$-el -s2 "-d%s" "-sp%s"$@$LICENSEDLG$REPLACEFILEDLG$STARTDLG$__tmp_rar_sfx_access_check_$p$runas$winrarsfxmappingfile.tmp
                                                                        • API String ID: 255727823-2702805183
                                                                        • Opcode ID: 8b4b8352451f730ee2ea3e5c754e013c938db1b5af9506e8b4e96f0d2fe7a3ee
                                                                        • Instruction ID: 7b86862a149f8f1dcb26cda036c9f33aab1b48236f6de1a2e91f357388bb3dce
                                                                        • Opcode Fuzzy Hash: 8b4b8352451f730ee2ea3e5c754e013c938db1b5af9506e8b4e96f0d2fe7a3ee
                                                                        • Instruction Fuzzy Hash: 89D2B1A2A0D78241EB2AFB65E8903F96761EF86784F504131D9AD87AB5DF3CE644C700
                                                                        Function 00007FF64150CE88 Relevance: 65.0, APIs: 26, Strings: 10, Instructions: 1963windowfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task$FileMessageMoveSend$DialogItemPathTemp
                                                                        • String ID: .lnk$.tmp$<br>$@set:user$HIDE$MAX$MIN$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$lnk
                                                                        • API String ID: 3007431893-3916287355
                                                                        • Opcode ID: fcd01dd56a1b0d9a94054e53721844b88349af29849e6bffae24d093a89b8920
                                                                        • Instruction ID: 70b29c7b9a1c255bd8cce1c892482717e2a150b5c3a65535b3b812886aac6219
                                                                        • Opcode Fuzzy Hash: fcd01dd56a1b0d9a94054e53721844b88349af29849e6bffae24d093a89b8920
                                                                        • Instruction Fuzzy Hash: B813A5B2B0CB8285EB16FFA4D8402EC2BB1EB41798F500535DA6D97AE9DF38D595C340
                                                                        Function 00007FF641510754 Relevance: 45.9, APIs: 21, Strings: 5, Instructions: 380filesleeptimeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1466 7ff641510754-7ff641510829 call 7ff6414fdfd0 call 7ff6414f62dc call 7ff64150946c call 7ff641513cf0 call 7ff641509a14 1477 7ff64151082b-7ff641510840 1466->1477 1478 7ff641510860-7ff641510883 1466->1478 1479 7ff64151085b call 7ff64151220c 1477->1479 1480 7ff641510842-7ff641510855 1477->1480 1481 7ff6415108ba-7ff6415108dd 1478->1481 1482 7ff641510885-7ff64151089a 1478->1482 1479->1478 1480->1479 1487 7ff641510ddd-7ff641510de2 call 7ff641517904 1480->1487 1485 7ff6415108df-7ff6415108f4 1481->1485 1486 7ff641510914-7ff641510937 1481->1486 1483 7ff64151089c-7ff6415108af 1482->1483 1484 7ff6415108b5 call 7ff64151220c 1482->1484 1483->1484 1483->1487 1484->1481 1490 7ff6415108f6-7ff641510909 1485->1490 1491 7ff64151090f call 7ff64151220c 1485->1491 1492 7ff641510939-7ff64151094e 1486->1492 1493 7ff64151096e-7ff64151097a GetCommandLineW 1486->1493 1503 7ff641510de3-7ff641510df0 call 7ff641517904 1487->1503 1490->1487 1490->1491 1491->1486 1496 7ff641510969 call 7ff64151220c 1492->1496 1497 7ff641510950-7ff641510963 1492->1497 1499 7ff641510b47-7ff641510b5e call 7ff6414f6454 1493->1499 1500 7ff641510980-7ff6415109b7 call 7ff64151797c call 7ff6414e129c call 7ff64150cad0 1493->1500 1496->1493 1497->1487 1497->1496 1510 7ff641510b89-7ff641510ce4 call 7ff6414e1fa0 SetEnvironmentVariableW GetLocalTime call 7ff6414f3e28 SetEnvironmentVariableW GetModuleHandleW LoadIconW call 7ff64150b014 call 7ff6414f98ac call 7ff6415067b4 * 2 DialogBoxParamW call 7ff6415068a8 * 2 1499->1510 1511 7ff641510b60-7ff641510b85 call 7ff6414e1fa0 call 7ff641513640 1499->1511 1525 7ff6415109b9-7ff6415109cc 1500->1525 1526 7ff6415109ec-7ff6415109f3 1500->1526 1512 7ff641510df5-7ff641510e2f call 7ff641511900 1503->1512 1573 7ff641510ce6 Sleep 1510->1573 1574 7ff641510cec-7ff641510cf3 1510->1574 1511->1510 1521 7ff641510e34-7ff641510ea5 1512->1521 1521->1512 1530 7ff6415109e7 call 7ff64151220c 1525->1530 1531 7ff6415109ce-7ff6415109e1 1525->1531 1532 7ff6415109f9-7ff641510a13 OpenFileMappingW 1526->1532 1533 7ff641510adb-7ff641510b12 call 7ff64151797c call 7ff6414e129c call 7ff64150fd0c 1526->1533 1530->1526 1531->1503 1531->1530 1537 7ff641510a19-7ff641510a39 MapViewOfFile 1532->1537 1538 7ff641510ad0-7ff641510ad9 CloseHandle 1532->1538 1533->1499 1555 7ff641510b14-7ff641510b27 1533->1555 1537->1538 1542 7ff641510a3f-7ff641510a6f UnmapViewOfFile MapViewOfFile 1537->1542 1538->1499 1542->1538 1545 7ff641510a71-7ff641510aca call 7ff64150a190 call 7ff64150fd0c call 7ff6414fb9b4 call 7ff6414fbb00 call 7ff6414fbb70 UnmapViewOfFile 1542->1545 1545->1538 1558 7ff641510b29-7ff641510b3c 1555->1558 1559 7ff641510b42 call 7ff64151220c 1555->1559 1558->1559 1562 7ff641510dd7-7ff641510ddc call 7ff641517904 1558->1562 1559->1499 1562->1487 1573->1574 1576 7ff641510cfa-7ff641510d1d call 7ff6414fb8e0 DeleteObject 1574->1576 1577 7ff641510cf5 call 7ff641509f4c 1574->1577 1581 7ff641510d1f DeleteObject 1576->1581 1582 7ff641510d25-7ff641510d2c 1576->1582 1577->1576 1581->1582 1583 7ff641510d48-7ff641510d59 1582->1583 1584 7ff641510d2e-7ff641510d35 1582->1584 1586 7ff641510d5b-7ff641510d67 call 7ff64150fe24 CloseHandle 1583->1586 1587 7ff641510d6d-7ff641510d7a 1583->1587 1584->1583 1585 7ff641510d37-7ff641510d43 call 7ff6414eba0c 1584->1585 1585->1583 1586->1587 1590 7ff641510d7c-7ff641510d89 1587->1590 1591 7ff641510d9f-7ff641510da4 call 7ff6415094e4 1587->1591 1594 7ff641510d99-7ff641510d9b 1590->1594 1595 7ff641510d8b-7ff641510d93 1590->1595 1598 7ff641510da9-7ff641510dd6 call 7ff641512320 1591->1598 1594->1591 1597 7ff641510d9d 1594->1597 1595->1591 1596 7ff641510d95-7ff641510d97 1595->1596 1596->1591 1597->1591
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: File$EnvironmentHandleVariableView$_invalid_parameter_noinfo_noreturn$AddressCloseCurrentDeleteDirectoryModuleObjectProcUnmap$CommandDialogIconInitializeLineLoadLocalMallocMappingOpenParamSleepTimeswprintf
                                                                        • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                                        • API String ID: 1048086575-3710569615
                                                                        • Opcode ID: 7fb843965e060d2caf1f274bd47349aa60f49b36b68f6f054b76b7ae27a5abf6
                                                                        • Instruction ID: a980f7295ca234852854220e4e0adeb61fbdadf37d2786ff12d752b12e64b554
                                                                        • Opcode Fuzzy Hash: 7fb843965e060d2caf1f274bd47349aa60f49b36b68f6f054b76b7ae27a5abf6
                                                                        • Instruction Fuzzy Hash: DF127EA2E1CB8285EB1ABF24E8452F96761FF85784F504231DAAD87AB5DF3CE151C700
                                                                        Function 00007FF6414FA4AC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 250COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWideswprintf
                                                                        • String ID: $%s:$CAPTION
                                                                        • API String ID: 2100155373-404845831
                                                                        • Opcode ID: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
                                                                        • Instruction ID: 43fc09f2f309da1afc25ed4d713dd9220d79cee1da31e274505c865b3860efb7
                                                                        • Opcode Fuzzy Hash: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
                                                                        • Instruction Fuzzy Hash: 1F91F872B1C6418AE719FF29E8046A9B7A1FB84784F505535EE5D97BA8CF3CE805CB00
                                                                        Function 00007FF641508624 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 101memorywindowCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
                                                                        • String ID: PNG
                                                                        • API String ID: 211097158-364855578
                                                                        • Opcode ID: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
                                                                        • Instruction ID: c59a7b70d033906720e197640c8f9e98d57eed4e5ef025ea243e6f3b1dfb6477
                                                                        • Opcode Fuzzy Hash: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
                                                                        • Instruction Fuzzy Hash: 534130A6A4DB0281EF1ABF96D4447F967A0AF89B94F140435CE2D87378EF7DE4588700
                                                                        Function 00007FF6414EF930 Relevance: 17.2, APIs: 8, Strings: 1, Instructions: 1417COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                        • String ID: __tmp_reference_source_
                                                                        • API String ID: 3668304517-685763994
                                                                        • Opcode ID: ee1b9b2f793652c4fffa685adae4afd38ebba44b70748007b51654422c3c5d5b
                                                                        • Instruction ID: 413224f1b4460e86557a67ca4b57e1e3bb5685ef6edc857ee308bedbf9c28459
                                                                        • Opcode Fuzzy Hash: ee1b9b2f793652c4fffa685adae4afd38ebba44b70748007b51654422c3c5d5b
                                                                        • Instruction Fuzzy Hash: FCE26F62A0C7C292EB66FB65E1403AE67A2FB81790F404132DBAD937A5CF3CE555C700
                                                                        Function 00007FF6414E4840 Relevance: 12.1, APIs: 5, Strings: 1, Instructions: 1624COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                        • String ID: CMT
                                                                        • API String ID: 3668304517-2756464174
                                                                        • Opcode ID: b72a447c2ddb22f05185b9639a81e7227c320d37a75114c120090eb22b33af98
                                                                        • Instruction ID: e9384678011ede3180670047fc498244faeb1c59f78cc11c356f95d179b74ac4
                                                                        • Opcode Fuzzy Hash: b72a447c2ddb22f05185b9639a81e7227c320d37a75114c120090eb22b33af98
                                                                        • Instruction Fuzzy Hash: EFE2EB62B0C78286EB1AFB64D5503FE67A2EB45394F440135DA6E8B7A6DF3CE255C300
                                                                        Function 00007FF6414F40BC Relevance: 10.7, APIs: 7, Instructions: 153fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 3712 7ff6414f40bc-7ff6414f40f3 3713 7ff6414f41d2-7ff6414f41df FindNextFileW 3712->3713 3714 7ff6414f40f9-7ff6414f4101 3712->3714 3717 7ff6414f41f3-7ff6414f41f6 3713->3717 3718 7ff6414f41e1-7ff6414f41f1 GetLastError 3713->3718 3715 7ff6414f4103 3714->3715 3716 7ff6414f4106-7ff6414f4118 FindFirstFileW 3714->3716 3715->3716 3716->3717 3719 7ff6414f411e-7ff6414f4146 call 7ff6414f6a0c 3716->3719 3721 7ff6414f4211-7ff6414f4253 call 7ff64151797c call 7ff6414e129c call 7ff6414f8090 3717->3721 3722 7ff6414f41f8-7ff6414f4200 3717->3722 3720 7ff6414f41ca-7ff6414f41cd 3718->3720 3732 7ff6414f4148-7ff6414f4164 FindFirstFileW 3719->3732 3733 7ff6414f4167-7ff6414f4170 3719->3733 3726 7ff6414f42eb-7ff6414f430e call 7ff641512320 3720->3726 3748 7ff6414f4255-7ff6414f426c 3721->3748 3749 7ff6414f428c-7ff6414f42e6 call 7ff6414ff168 * 3 3721->3749 3723 7ff6414f4205-7ff6414f420c call 7ff6414e20b0 3722->3723 3724 7ff6414f4202 3722->3724 3723->3721 3724->3723 3732->3733 3736 7ff6414f4172-7ff6414f4189 3733->3736 3737 7ff6414f41a9-7ff6414f41ad 3733->3737 3739 7ff6414f41a4 call 7ff64151220c 3736->3739 3740 7ff6414f418b-7ff6414f419e 3736->3740 3737->3717 3741 7ff6414f41af-7ff6414f41be GetLastError 3737->3741 3739->3737 3740->3739 3743 7ff6414f4315-7ff6414f431b call 7ff641517904 3740->3743 3745 7ff6414f41c0-7ff6414f41c6 3741->3745 3746 7ff6414f41c8 3741->3746 3745->3720 3745->3746 3746->3720 3751 7ff6414f426e-7ff6414f4281 3748->3751 3752 7ff6414f4287 call 7ff64151220c 3748->3752 3749->3726 3751->3752 3756 7ff6414f430f-7ff6414f4314 call 7ff641517904 3751->3756 3752->3749 3756->3743
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: FileFind$ErrorFirstLast_invalid_parameter_noinfo_noreturn$Next
                                                                        • String ID:
                                                                        • API String ID: 474548282-0
                                                                        • Opcode ID: 5b7a682f346ba33cc6e8113bf8bb974c5d06c867b30d63dc8f71ee7e42fd28a6
                                                                        • Instruction ID: d228e91e9c906b9614e3d0d1420745f5e92158cac7767d181f91d07df046f0e1
                                                                        • Opcode Fuzzy Hash: 5b7a682f346ba33cc6e8113bf8bb974c5d06c867b30d63dc8f71ee7e42fd28a6
                                                                        • Instruction Fuzzy Hash: CB618162A0C64681EB16FB28E9442AD6362FB857B4F505331EABD877E9DF3CD544C700
                                                                        Function 00007FF6414E5E24 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 586COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 3823 7ff6414e5e24-7ff6414e6129 call 7ff6414f833c call 7ff6414f85f0 3829 7ff6414e612e-7ff6414e6132 3823->3829 3830 7ff6414e6134-7ff6414e613c call 7ff6414e6fcc 3829->3830 3831 7ff6414e6141-7ff6414e6171 call 7ff6414f83d8 call 7ff6414f8570 call 7ff6414f8528 3829->3831 3836 7ff6414e697b 3830->3836 3849 7ff6414e6973-7ff6414e6976 call 7ff6414e466c 3831->3849 3850 7ff6414e6177-7ff6414e6179 3831->3850 3838 7ff6414e697e-7ff6414e6985 3836->3838 3840 7ff6414e69b4-7ff6414e69e3 call 7ff641512320 3838->3840 3841 7ff6414e6987-7ff6414e6998 3838->3841 3843 7ff6414e69af call 7ff64151220c 3841->3843 3844 7ff6414e699a-7ff6414e69ad 3841->3844 3843->3840 3844->3843 3847 7ff6414e69e4-7ff6414e69e9 call 7ff641517904 3844->3847 3858 7ff6414e69ea-7ff6414e69ef call 7ff641517904 3847->3858 3849->3836 3850->3849 3852 7ff6414e617f-7ff6414e6189 3850->3852 3852->3849 3855 7ff6414e618f-7ff6414e6192 3852->3855 3855->3849 3857 7ff6414e6198-7ff6414e61aa call 7ff6414f85f0 3855->3857 3857->3830 3863 7ff6414e61ac-7ff6414e61fd call 7ff6414f84f8 call 7ff6414f8528 * 2 3857->3863 3864 7ff6414e69f0-7ff6414e69f7 call 7ff641517904 3858->3864 3873 7ff6414e623f-7ff6414e6249 3863->3873 3874 7ff6414e61ff-7ff6414e6222 call 7ff6414e466c call 7ff6414eba0c 3863->3874 3876 7ff6414e624b-7ff6414e6260 call 7ff6414f8528 3873->3876 3877 7ff6414e6266-7ff6414e6270 3873->3877 3874->3873 3891 7ff6414e6224-7ff6414e622e call 7ff6414e433c 3874->3891 3876->3849 3876->3877 3878 7ff6414e6272-7ff6414e627b call 7ff6414f8528 3877->3878 3879 7ff6414e627e-7ff6414e6296 call 7ff6414e334c 3877->3879 3878->3879 3889 7ff6414e62b3 3879->3889 3890 7ff6414e6298-7ff6414e629b 3879->3890 3893 7ff6414e62b6-7ff6414e62c8 3889->3893 3890->3889 3892 7ff6414e629d-7ff6414e62b1 3890->3892 3891->3873 3892->3889 3892->3893 3895 7ff6414e62ce-7ff6414e62d1 3893->3895 3896 7ff6414e68b7-7ff6414e6929 call 7ff6414f4d04 call 7ff6414f8528 3893->3896 3897 7ff6414e6481-7ff6414e64f4 call 7ff6414f4c74 call 7ff6414f8528 * 2 3895->3897 3898 7ff6414e62d7-7ff6414e62da 3895->3898 3913 7ff6414e692b-7ff6414e6934 call 7ff6414f8528 3896->3913 3914 7ff6414e6936 3896->3914 3929 7ff6414e6507-7ff6414e6533 call 7ff6414f8528 3897->3929 3930 7ff6414e64f6-7ff6414e6500 3897->3930 3898->3897 3901 7ff6414e62e0-7ff6414e62e3 3898->3901 3904 7ff6414e62e5-7ff6414e62e8 3901->3904 3905 7ff6414e632e-7ff6414e6353 call 7ff6414f8528 3901->3905 3909 7ff6414e62ee-7ff6414e6329 call 7ff6414f8528 3904->3909 3910 7ff6414e696d-7ff6414e6971 3904->3910 3920 7ff6414e6355-7ff6414e638f call 7ff6414e4228 call 7ff6414e3c84 call 7ff6414e701c call 7ff6414e1fa0 3905->3920 3921 7ff6414e639e-7ff6414e63c5 call 7ff6414f8528 call 7ff6414f8384 3905->3921 3909->3910 3910->3838 3922 7ff6414e6939-7ff6414e6946 3913->3922 3914->3922 3970 7ff6414e6390-7ff6414e6399 call 7ff6414e1fa0 3920->3970 3942 7ff6414e6402-7ff6414e641f call 7ff6414f8444 3921->3942 3943 7ff6414e63c7-7ff6414e6400 call 7ff6414e4228 call 7ff6414e3c84 call 7ff6414e701c call 7ff6414e1fa0 3921->3943 3927 7ff6414e694c 3922->3927 3928 7ff6414e6948-7ff6414e694a 3922->3928 3933 7ff6414e694f-7ff6414e6959 3927->3933 3928->3927 3928->3933 3944 7ff6414e6535-7ff6414e6544 call 7ff6414f83d8 call 7ff6414ff134 3929->3944 3945 7ff6414e6549-7ff6414e6557 3929->3945 3930->3929 3933->3910 3937 7ff6414e695b-7ff6414e6968 call 7ff6414e4840 3933->3937 3937->3910 3960 7ff6414e6475-7ff6414e647c 3942->3960 3961 7ff6414e6421-7ff6414e646f call 7ff6414f8444 * 2 call 7ff6414fc800 call 7ff641514a70 3942->3961 3943->3970 3944->3945 3951 7ff6414e6572-7ff6414e6595 call 7ff6414f8528 3945->3951 3952 7ff6414e6559-7ff6414e656c call 7ff6414f83d8 3945->3952 3966 7ff6414e65a0-7ff6414e65b0 3951->3966 3967 7ff6414e6597-7ff6414e659e 3951->3967 3952->3951 3960->3910 3961->3960 3971 7ff6414e65b3-7ff6414e65eb call 7ff6414f8528 * 2 3966->3971 3967->3971 3970->3921 3987 7ff6414e65ed-7ff6414e65f4 3971->3987 3988 7ff6414e65f6-7ff6414e65fa 3971->3988 3990 7ff6414e6603-7ff6414e6632 3987->3990 3988->3990 3992 7ff6414e65fc 3988->3992 3993 7ff6414e6634-7ff6414e6638 3990->3993 3994 7ff6414e663f 3990->3994 3992->3990 3993->3994 3996 7ff6414e663a-7ff6414e663d 3993->3996 3995 7ff6414e6641-7ff6414e6656 3994->3995 3997 7ff6414e66ca 3995->3997 3998 7ff6414e6658-7ff6414e665b 3995->3998 3996->3995 4000 7ff6414e66d2-7ff6414e6731 call 7ff6414e3d00 call 7ff6414f8444 call 7ff641500d54 3997->4000 3998->3997 3999 7ff6414e665d-7ff6414e6683 3998->3999 3999->4000 4001 7ff6414e6685-7ff6414e66a9 3999->4001 4011 7ff6414e6733-7ff6414e6740 call 7ff6414e4840 4000->4011 4012 7ff6414e6745-7ff6414e6749 4000->4012 4003 7ff6414e66b2-7ff6414e66bf 4001->4003 4004 7ff6414e66ab 4001->4004 4003->4000 4006 7ff6414e66c1-7ff6414e66c8 4003->4006 4004->4003 4006->4000 4011->4012 4014 7ff6414e675b-7ff6414e6772 call 7ff64151797c 4012->4014 4015 7ff6414e674b-7ff6414e6756 call 7ff6414e473c 4012->4015 4021 7ff6414e6774 4014->4021 4022 7ff6414e6777-7ff6414e677e 4014->4022 4020 7ff6414e6859-7ff6414e6860 4015->4020 4023 7ff6414e6873-7ff6414e687b 4020->4023 4024 7ff6414e6862-7ff6414e6872 call 7ff6414e433c 4020->4024 4021->4022 4025 7ff6414e67a3-7ff6414e67ba call 7ff64151797c 4022->4025 4026 7ff6414e6780-7ff6414e6783 4022->4026 4023->3910 4029 7ff6414e6881-7ff6414e6892 4023->4029 4024->4023 4037 7ff6414e67bf-7ff6414e67c6 4025->4037 4038 7ff6414e67bc 4025->4038 4030 7ff6414e6785 4026->4030 4031 7ff6414e679c 4026->4031 4034 7ff6414e6894-7ff6414e68a7 4029->4034 4035 7ff6414e68ad-7ff6414e68b2 call 7ff64151220c 4029->4035 4036 7ff6414e6788-7ff6414e6791 4030->4036 4031->4025 4034->3864 4034->4035 4035->3910 4036->4025 4040 7ff6414e6793-7ff6414e679a 4036->4040 4037->4020 4041 7ff6414e67cc-7ff6414e67cf 4037->4041 4038->4037 4040->4031 4040->4036 4043 7ff6414e67d1 4041->4043 4044 7ff6414e67e8-7ff6414e67f0 4041->4044 4045 7ff6414e67d4-7ff6414e67dd 4043->4045 4044->4020 4046 7ff6414e67f2-7ff6414e6826 call 7ff6414f8360 call 7ff6414f8598 call 7ff6414f8528 4044->4046 4045->4020 4047 7ff6414e67df-7ff6414e67e6 4045->4047 4046->4020 4054 7ff6414e6828-7ff6414e6839 4046->4054 4047->4044 4047->4045 4055 7ff6414e6854 call 7ff64151220c 4054->4055 4056 7ff6414e683b-7ff6414e684e 4054->4056 4055->4020 4056->3858 4056->4055
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: CMT
                                                                        • API String ID: 0-2756464174
                                                                        • Opcode ID: b8fa635b894758bb4949fb57bddd48836ff0d2ecd2be86fe1bb2065c738ed5aa
                                                                        • Instruction ID: abf595e3e32cb256a56f6eb8161ee9a139f332b67138b7b2ce03411d580953f2
                                                                        • Opcode Fuzzy Hash: b8fa635b894758bb4949fb57bddd48836ff0d2ecd2be86fe1bb2065c738ed5aa
                                                                        • Instruction Fuzzy Hash: 6642BB62B0C7829BEB5AFB74D1502FD67A2EB51348F400136DB6E97696DF38E658C300
                                                                        Function 00007FF641501F20 Relevance: .3, Instructions: 337COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6a2ba48437b82e373fac81338819d40f47a0019a50d197aab006f7cc31990992
                                                                        • Instruction ID: 3af4b01a9dbc81782e772e71c9efb04c897bcf14c4716737ebb5774236d4199b
                                                                        • Opcode Fuzzy Hash: 6a2ba48437b82e373fac81338819d40f47a0019a50d197aab006f7cc31990992
                                                                        • Instruction Fuzzy Hash: 9EE1E3A2A0C2824AEB69FF69E0442ED7B91FB4674CF044135DB6E87666CF3CE5818704
                                                                        Function 00007FF641503484 Relevance: .3, Instructions: 302COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 42ae873f8167721f5f2066597c1632663bc2c9996c3b34b327fe22a5c50172c8
                                                                        • Instruction ID: 64680b5c194c531af50de4a91c463a8d30e910d5b30a5453d85a4ef4ec67db06
                                                                        • Opcode Fuzzy Hash: 42ae873f8167721f5f2066597c1632663bc2c9996c3b34b327fe22a5c50172c8
                                                                        • Instruction Fuzzy Hash: 23B1E1E2B08AC956DF9EEAA5D6086E96791B706BC8F488032DE2D47761DF3CE155C300
                                                                        Function 00007FF6414F4928 Relevance: .1, Instructions: 136COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                        • String ID:
                                                                        • API String ID: 3340455307-0
                                                                        • Opcode ID: 2cb8b9ec6f6f726b57ae810d2a963647076a0ed4099b9c3b4f35ab7767efdb68
                                                                        • Instruction ID: ae6aa9c2fda4c175e26f557e1856129081fa33d33249a1211bb87ca7e4f45ce9
                                                                        • Opcode Fuzzy Hash: 2cb8b9ec6f6f726b57ae810d2a963647076a0ed4099b9c3b4f35ab7767efdb68
                                                                        • Instruction Fuzzy Hash: 78410722F19A9686FB69FF22F94176A2253FBC4788F085030DE6D87795DE3CE4468704
                                                                        Function 00007FF6414FDFD0 Relevance: 143.9, APIs: 16, Strings: 66, Instructions: 440libraryfileloaderCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 7ff6414fdfd0-7ff6414fe024 call 7ff641512450 GetModuleHandleW 3 7ff6414fe07b-7ff6414fe3a5 0->3 4 7ff6414fe026-7ff6414fe039 GetProcAddress 0->4 5 7ff6414fe503-7ff6414fe521 call 7ff6414f6454 call 7ff6414f7df4 3->5 6 7ff6414fe3ab-7ff6414fe3b4 call 7ff64151b788 3->6 7 7ff6414fe053-7ff6414fe066 GetProcAddress 4->7 8 7ff6414fe03b-7ff6414fe04a 4->8 19 7ff6414fe525-7ff6414fe52f call 7ff6414f51a4 5->19 6->5 15 7ff6414fe3ba-7ff6414fe3fd call 7ff6414f6454 CreateFileW 6->15 7->3 11 7ff6414fe068-7ff6414fe078 7->11 8->7 11->3 22 7ff6414fe403-7ff6414fe416 SetFilePointer 15->22 23 7ff6414fe4f0-7ff6414fe4fe CloseHandle call 7ff6414e1fa0 15->23 27 7ff6414fe564-7ff6414fe5ac call 7ff64151797c call 7ff6414e129c call 7ff6414f8090 call 7ff6414e1fa0 call 7ff6414f32bc 19->27 28 7ff6414fe531-7ff6414fe53c call 7ff6414fdd88 19->28 22->23 25 7ff6414fe41c-7ff6414fe43e ReadFile 22->25 23->5 25->23 29 7ff6414fe444-7ff6414fe452 25->29 66 7ff6414fe5b1-7ff6414fe5b4 27->66 28->27 39 7ff6414fe53e-7ff6414fe562 CompareStringW 28->39 32 7ff6414fe800-7ff6414fe807 call 7ff641512624 29->32 33 7ff6414fe458-7ff6414fe4ac call 7ff64151797c call 7ff6414e129c 29->33 48 7ff6414fe4c3-7ff6414fe4d9 call 7ff6414fd0a0 33->48 39->27 42 7ff6414fe5bd-7ff6414fe5c6 39->42 42->19 45 7ff6414fe5cc 42->45 49 7ff6414fe5d1-7ff6414fe5d4 45->49 61 7ff6414fe4ae-7ff6414fe4be call 7ff6414fdd88 48->61 62 7ff6414fe4db-7ff6414fe4eb call 7ff6414e1fa0 * 2 48->62 52 7ff6414fe63f-7ff6414fe642 49->52 53 7ff6414fe5d6-7ff6414fe5d9 49->53 56 7ff6414fe7c2-7ff6414fe7ff call 7ff6414e1fa0 * 2 call 7ff641512320 52->56 57 7ff6414fe648-7ff6414fe65b call 7ff6414f7eb0 call 7ff6414f51a4 52->57 58 7ff6414fe5dd-7ff6414fe62d call 7ff64151797c call 7ff6414e129c call 7ff6414f8090 call 7ff6414e1fa0 call 7ff6414f32bc 53->58 82 7ff6414fe661-7ff6414fe701 call 7ff6414fdd88 * 2 call 7ff6414faae0 call 7ff6414fda98 call 7ff6414faae0 call 7ff6414fdc2c call 7ff6415087ac call 7ff6414e19e0 57->82 83 7ff6414fe706-7ff6414fe753 call 7ff6414fda98 AllocConsole 57->83 107 7ff6414fe62f-7ff6414fe638 58->107 108 7ff6414fe63c 58->108 61->48 62->23 72 7ff6414fe5ce 66->72 73 7ff6414fe5b6 66->73 72->49 73->42 100 7ff6414fe7b4-7ff6414fe7bb call 7ff6414e19e0 ExitProcess 82->100 93 7ff6414fe755-7ff6414fe7aa GetCurrentProcessId AttachConsole call 7ff6414fe868 call 7ff6414fe858 GetStdHandle WriteConsoleW Sleep FreeConsole 83->93 94 7ff6414fe7b0 83->94 93->94 94->100 107->58 112 7ff6414fe63a 107->112 108->52 112->52
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo_noreturn$Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadModulePointerReadSleepStringSystemVersionWrite
                                                                        • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$RpcRtRemote.dll$SSPICLI.DLL$SetDefaultDllDirectories$SetDllDirectoryW$UXTheme.dll$WINNSI.DLL$WindowsCodecs.dll$XmlLite.dll$aclui.dll$apphelp.dll$atl.dll$browcli.dll$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$cryptbase.dll$cryptsp.dll$cryptui.dll$cscapi.dll$devrtl.dll$dfscli.dll$dhcpcsvc.dll$dhcpcsvc6.dll$dnsapi.DLL$dsrole.dll$dwmapi.dll$ieframe.dll$imageres.dll$iphlpapi.DLL$kernel32$linkinfo.dll$lpk.dll$mlang.dll$mpr.dll$msasn1.dll$netapi32.dll$netutils.dll$ntmarta.dll$ntshrui.dll$oleaccrc.dll$peerdist.dll$profapi.dll$propsys.dll$psapi.dll$rasadhlp.dll$rsaenh.dll$samcli.dll$samlib.dll$secur32.dll$setupapi.dll$sfc_os.dll$shdocvw.dll$shell32.dll$slc.dll$srvcli.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wintrust.dll$wkscli.dll$ws2_32.dll$ws2help.dll
                                                                        • API String ID: 1496594111-2013832382
                                                                        • Opcode ID: 19926894803355f4926a5d38047f13a95aa4f57e947c60c8a04cc60affe7caae
                                                                        • Instruction ID: a49c8dc089cc56a058590f54fbafb4ea9976f42f7de964c80dd410d32e3da09d
                                                                        • Opcode Fuzzy Hash: 19926894803355f4926a5d38047f13a95aa4f57e947c60c8a04cc60affe7caae
                                                                        • Instruction Fuzzy Hash: DD323A72A0DB9299EB26BF60E8402E933A5FF44354F500236DA6D977A5EF3CE245C740
                                                                        Function 00007FF6414F98DC Relevance: 25.2, APIs: 3, Strings: 11, Instructions: 702COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00007FF6414F8E58: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6414F8F8D
                                                                        • _snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6414F9F75
                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6414FA42F
                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6414FA435
                                                                          • Part of subcall function 00007FF641500BBC: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF641500B44), ref: 00007FF641500BE9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo_noreturn$ByteCharConcurrency::cancel_current_taskMultiWide_snwprintf
                                                                        • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS
                                                                        • API String ID: 3629253777-3268106645
                                                                        • Opcode ID: c1941742baf2d9c3be52f390a0a923855bad3b4b9f203786c8d0fad0fa7aba42
                                                                        • Instruction ID: db16696a7fae35f12cf0011506c0329baa1c72c73c72b65ed7ae885da0b27b61
                                                                        • Opcode Fuzzy Hash: c1941742baf2d9c3be52f390a0a923855bad3b4b9f203786c8d0fad0fa7aba42
                                                                        • Instruction Fuzzy Hash: 51628A62A1DA9285EB12FF64D4442EE37A6FB40788F904132EA6D877E5EF3CE545C340
                                                                        Function 00007FF641511900 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 195libraryCOMMONLIBRARYCODE
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1911 7ff641511900-7ff641511989 call 7ff641511558 1914 7ff64151198b-7ff6415119af call 7ff641511868 RaiseException 1911->1914 1915 7ff6415119b4-7ff6415119d1 1911->1915 1921 7ff641511bb8-7ff641511bd5 1914->1921 1916 7ff6415119e6-7ff6415119ea 1915->1916 1917 7ff6415119d3-7ff6415119e4 1915->1917 1920 7ff6415119ed-7ff6415119f9 1916->1920 1917->1920 1922 7ff641511a1a-7ff641511a1d 1920->1922 1923 7ff6415119fb-7ff641511a0d 1920->1923 1924 7ff641511a23-7ff641511a26 1922->1924 1925 7ff641511ac4-7ff641511acb 1922->1925 1931 7ff641511b89-7ff641511b93 1923->1931 1932 7ff641511a13 1923->1932 1929 7ff641511a28-7ff641511a3b 1924->1929 1930 7ff641511a3d-7ff641511a52 LoadLibraryExA 1924->1930 1927 7ff641511acd-7ff641511adc 1925->1927 1928 7ff641511adf-7ff641511ae2 1925->1928 1927->1928 1933 7ff641511ae8-7ff641511aec 1928->1933 1934 7ff641511b85 1928->1934 1929->1930 1935 7ff641511aa9-7ff641511ab2 1929->1935 1930->1935 1936 7ff641511a54-7ff641511a67 GetLastError 1930->1936 1937 7ff641511bb0 call 7ff641511868 1931->1937 1938 7ff641511b95-7ff641511ba6 1931->1938 1932->1922 1945 7ff641511b1b-7ff641511b2e GetProcAddress 1933->1945 1946 7ff641511aee-7ff641511af2 1933->1946 1934->1931 1941 7ff641511abd 1935->1941 1942 7ff641511ab4-7ff641511ab7 FreeLibrary 1935->1942 1939 7ff641511a69-7ff641511a7c 1936->1939 1940 7ff641511a7e-7ff641511aa4 call 7ff641511868 RaiseException 1936->1940 1953 7ff641511bb5 1937->1953 1938->1937 1939->1935 1939->1940 1940->1921 1941->1925 1942->1941 1945->1934 1950 7ff641511b30-7ff641511b43 GetLastError 1945->1950 1946->1945 1947 7ff641511af4-7ff641511aff 1946->1947 1947->1945 1951 7ff641511b01-7ff641511b08 1947->1951 1955 7ff641511b5a-7ff641511b81 call 7ff641511868 RaiseException call 7ff641511558 1950->1955 1956 7ff641511b45-7ff641511b58 1950->1956 1951->1945 1957 7ff641511b0a-7ff641511b0f 1951->1957 1953->1921 1955->1934 1956->1934 1956->1955 1957->1945 1959 7ff641511b11-7ff641511b19 1957->1959 1959->1934 1959->1945
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: DloadSection$AccessExceptionProtectRaiseReleaseWrite$ErrorLastLibraryLoad
                                                                        • String ID: H
                                                                        • API String ID: 3432403771-2852464175
                                                                        • Opcode ID: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
                                                                        • Instruction ID: b406d440489c209ffbf4b1d6518587d94626b2988ef98e5c39e1044794df3110
                                                                        • Opcode Fuzzy Hash: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
                                                                        • Instruction Fuzzy Hash: 2F914BA2F09B518AEB0AFFA5D8846EC37A1BB08B98F044435DE2D57765EF38E445C740
                                                                        Function 00007FF64150F4E0 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 285COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1989 7ff64150f4e0-7ff64150f523 1990 7ff64150f529-7ff64150f565 call 7ff641513cf0 1989->1990 1991 7ff64150f894-7ff64150f8b9 call 7ff6414e1fa0 call 7ff641512320 1989->1991 1997 7ff64150f567 1990->1997 1998 7ff64150f56a-7ff64150f571 1990->1998 1997->1998 2000 7ff64150f582-7ff64150f586 1998->2000 2001 7ff64150f573-7ff64150f577 1998->2001 2004 7ff64150f588 2000->2004 2005 7ff64150f58b-7ff64150f596 2000->2005 2002 7ff64150f579 2001->2002 2003 7ff64150f57c-7ff64150f580 2001->2003 2002->2003 2003->2005 2004->2005 2006 7ff64150f628 2005->2006 2007 7ff64150f59c 2005->2007 2008 7ff64150f62c-7ff64150f62f 2006->2008 2009 7ff64150f5a2-7ff64150f5a9 2007->2009 2010 7ff64150f637-7ff64150f63a 2008->2010 2011 7ff64150f631-7ff64150f635 2008->2011 2012 7ff64150f5ab 2009->2012 2013 7ff64150f5ae-7ff64150f5b3 2009->2013 2016 7ff64150f660-7ff64150f673 call 7ff6414f63ac 2010->2016 2017 7ff64150f63c-7ff64150f643 2010->2017 2011->2010 2011->2016 2012->2013 2014 7ff64150f5e5-7ff64150f5f0 2013->2014 2015 7ff64150f5b5 2013->2015 2021 7ff64150f5f2 2014->2021 2022 7ff64150f5f5-7ff64150f5fa 2014->2022 2018 7ff64150f5ca-7ff64150f5d0 2015->2018 2032 7ff64150f698-7ff64150f6ed call 7ff64151797c call 7ff6414e129c call 7ff6414f32a8 call 7ff6414e1fa0 2016->2032 2033 7ff64150f675-7ff64150f693 call 7ff6415013c4 2016->2033 2017->2016 2019 7ff64150f645-7ff64150f65c 2017->2019 2023 7ff64150f5b7-7ff64150f5be 2018->2023 2024 7ff64150f5d2 2018->2024 2019->2016 2021->2022 2026 7ff64150f8ba-7ff64150f8c1 2022->2026 2027 7ff64150f600-7ff64150f607 2022->2027 2028 7ff64150f5c0 2023->2028 2029 7ff64150f5c3-7ff64150f5c8 2023->2029 2024->2014 2030 7ff64150f8c6-7ff64150f8cb 2026->2030 2031 7ff64150f8c3 2026->2031 2034 7ff64150f609 2027->2034 2035 7ff64150f60c-7ff64150f612 2027->2035 2028->2029 2029->2018 2037 7ff64150f5d4-7ff64150f5db 2029->2037 2038 7ff64150f8cd-7ff64150f8d4 2030->2038 2039 7ff64150f8de-7ff64150f8e6 2030->2039 2031->2030 2056 7ff64150f6ef-7ff64150f73d call 7ff64151797c call 7ff6414e129c call 7ff6414f5b60 call 7ff6414e1fa0 2032->2056 2057 7ff64150f742-7ff64150f74f ShellExecuteExW 2032->2057 2033->2032 2034->2035 2035->2026 2036 7ff64150f618-7ff64150f622 2035->2036 2036->2006 2036->2009 2042 7ff64150f5dd 2037->2042 2043 7ff64150f5e0 2037->2043 2044 7ff64150f8d6 2038->2044 2045 7ff64150f8d9 2038->2045 2046 7ff64150f8e8 2039->2046 2047 7ff64150f8eb-7ff64150f8f6 2039->2047 2042->2043 2043->2014 2044->2045 2045->2039 2046->2047 2047->2008 2056->2057 2058 7ff64150f846-7ff64150f84e 2057->2058 2059 7ff64150f755-7ff64150f75f 2057->2059 2064 7ff64150f850-7ff64150f866 2058->2064 2065 7ff64150f882-7ff64150f88f 2058->2065 2061 7ff64150f76f-7ff64150f772 2059->2061 2062 7ff64150f761-7ff64150f764 2059->2062 2067 7ff64150f78e-7ff64150f7ad call 7ff64154e1b8 call 7ff64150fe24 2061->2067 2068 7ff64150f774-7ff64150f77f call 7ff64154e188 2061->2068 2062->2061 2066 7ff64150f766-7ff64150f76d 2062->2066 2070 7ff64150f868-7ff64150f87b 2064->2070 2071 7ff64150f87d call 7ff64151220c 2064->2071 2065->1991 2066->2061 2072 7ff64150f7e3-7ff64150f7f0 CloseHandle 2066->2072 2067->2072 2097 7ff64150f7af-7ff64150f7b2 2067->2097 2068->2067 2088 7ff64150f781-7ff64150f78c ShowWindow 2068->2088 2070->2071 2076 7ff64150f8fb-7ff64150f903 call 7ff641517904 2070->2076 2071->2065 2078 7ff64150f7f2-7ff64150f803 call 7ff6415013c4 2072->2078 2079 7ff64150f805-7ff64150f80c 2072->2079 2078->2079 2086 7ff64150f82e-7ff64150f830 2078->2086 2079->2086 2087 7ff64150f80e-7ff64150f811 2079->2087 2086->2058 2093 7ff64150f832-7ff64150f835 2086->2093 2087->2086 2092 7ff64150f813-7ff64150f828 2087->2092 2088->2067 2092->2086 2093->2058 2096 7ff64150f837-7ff64150f845 ShowWindow 2093->2096 2096->2058 2097->2072 2099 7ff64150f7b4-7ff64150f7c5 GetExitCodeProcess 2097->2099 2099->2072 2100 7ff64150f7c7-7ff64150f7dc 2099->2100 2100->2072
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_invalid_parameter_noinfo_noreturn
                                                                        • String ID: .exe$.inf$Install$p
                                                                        • API String ID: 1054546013-3607691742
                                                                        • Opcode ID: bd083846a701d2a936ecc778425380adf73900159b5be9ae941c3623c510174f
                                                                        • Instruction ID: 61344eb226e430876021043c06078a046eb9b6618af4333bbbbecb618d59e7a9
                                                                        • Opcode Fuzzy Hash: bd083846a701d2a936ecc778425380adf73900159b5be9ae941c3623c510174f
                                                                        • Instruction Fuzzy Hash: D7C174A2F1C60296FB1AFB65D9502FD2B61AF86788F048032DA5DC76B5DF3CE5558300
                                                                        Function 00007FF64150F0A4 Relevance: 16.6, APIs: 11, Instructions: 102windowCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                                        • String ID:
                                                                        • API String ID: 3569833718-0
                                                                        • Opcode ID: c58ef51af4c11ae469b78d40ba7290d4e9656f32b0895ce54e4debee0d1a06d9
                                                                        • Instruction ID: ab45ae276a9dd1862b6c3e79049da3767ceffc5d92bfce49b9aa4fb3d93b51e5
                                                                        • Opcode Fuzzy Hash: c58ef51af4c11ae469b78d40ba7290d4e9656f32b0895ce54e4debee0d1a06d9
                                                                        • Instruction Fuzzy Hash: F841E3B1B1864286F70AFF61EC00BEA2760EB86B88F440135DD2E87BA4CF3DE4558744
                                                                        Function 00007FF6414EEF10 Relevance: 11.0, APIs: 7, Instructions: 453COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                        • String ID:
                                                                        • API String ID: 3668304517-0
                                                                        • Opcode ID: e994a9db728abc9e3b7c2f1aeddd0c1bbb8b4fdc17eb45be45aeabee48c93372
                                                                        • Instruction ID: 90c6b5697e7a6caf51bfdbdda9d3134f078b69f895586c530a17c1e01c7e4fb9
                                                                        • Opcode Fuzzy Hash: e994a9db728abc9e3b7c2f1aeddd0c1bbb8b4fdc17eb45be45aeabee48c93372
                                                                        • Instruction Fuzzy Hash: 3D12B362F0CB4185EB12FB65D4442ED2772EB457A8F500232DA6D97AEADF3CD685C340
                                                                        Function 00007FF6414F24C0 Relevance: 9.2, APIs: 6, Instructions: 164filetimeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 3763 7ff6414f24c0-7ff6414f24fb 3764 7ff6414f24fd-7ff6414f2504 3763->3764 3765 7ff6414f2506 3763->3765 3764->3765 3766 7ff6414f2509-7ff6414f2578 3764->3766 3765->3766 3767 7ff6414f257d-7ff6414f25a8 CreateFileW 3766->3767 3768 7ff6414f257a 3766->3768 3769 7ff6414f25ae-7ff6414f25de GetLastError call 7ff6414f6a0c 3767->3769 3770 7ff6414f2688-7ff6414f268d 3767->3770 3768->3767 3779 7ff6414f25e0-7ff6414f262a CreateFileW GetLastError 3769->3779 3780 7ff6414f262c 3769->3780 3772 7ff6414f2693-7ff6414f2697 3770->3772 3774 7ff6414f26a5-7ff6414f26a9 3772->3774 3775 7ff6414f2699-7ff6414f269c 3772->3775 3777 7ff6414f26cf-7ff6414f26e3 3774->3777 3778 7ff6414f26ab-7ff6414f26af 3774->3778 3775->3774 3776 7ff6414f269e 3775->3776 3776->3774 3782 7ff6414f26e5-7ff6414f26f0 3777->3782 3783 7ff6414f270c-7ff6414f2735 call 7ff641512320 3777->3783 3778->3777 3781 7ff6414f26b1-7ff6414f26c9 SetFileTime 3778->3781 3784 7ff6414f2632-7ff6414f263a 3779->3784 3780->3784 3781->3777 3785 7ff6414f26f2-7ff6414f26fa 3782->3785 3786 7ff6414f2708 3782->3786 3787 7ff6414f2673-7ff6414f2686 3784->3787 3788 7ff6414f263c-7ff6414f2653 3784->3788 3790 7ff6414f26ff-7ff6414f2703 call 7ff6414e20b0 3785->3790 3791 7ff6414f26fc 3785->3791 3786->3783 3787->3772 3792 7ff6414f2655-7ff6414f2668 3788->3792 3793 7ff6414f266e call 7ff64151220c 3788->3793 3790->3786 3791->3790 3792->3793 3796 7ff6414f2736-7ff6414f273b call 7ff641517904 3792->3796 3793->3787
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: File$CreateErrorLast$Time_invalid_parameter_noinfo_noreturn
                                                                        • String ID:
                                                                        • API String ID: 3536497005-0
                                                                        • Opcode ID: 7e74b88d639c8d570aa5cbccebcd9353285634c108726f52f9c563d03d833b9c
                                                                        • Instruction ID: 1a0d5d68514dcd536b310b35e9d0c92bf131ae90a87585b7e46715b05e9e8ad1
                                                                        • Opcode Fuzzy Hash: 7e74b88d639c8d570aa5cbccebcd9353285634c108726f52f9c563d03d833b9c
                                                                        • Instruction Fuzzy Hash: 2361D2A2A1C68185F725AB29E4047AE67A2FB857A8F101334DEBD43BE4DF3DD0558704
                                                                        Function 00007FF64150B014 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54windowCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: Global$Resource$Object$AllocBitmapCreateDeleteGdipLoadLock$FindFreeFromSizeofStreamUnlock
                                                                        • String ID: ]
                                                                        • API String ID: 3561356813-3352871620
                                                                        • Opcode ID: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
                                                                        • Instruction ID: 00b5bd2abd95ffd684df83966ef0bca24ddd0db2ae972141a30ca2ea04685358
                                                                        • Opcode Fuzzy Hash: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
                                                                        • Instruction Fuzzy Hash: 9F11D6A5F0D64241FB2AFB5196543F95791AF89BC8F080034D93D87BA9DE3CE8048604
                                                                        Function 00007FF64150AE1C Relevance: 7.5, APIs: 5, Instructions: 27windowCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: Message$DialogDispatchPeekTranslate
                                                                        • String ID:
                                                                        • API String ID: 1266772231-0
                                                                        • Opcode ID: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
                                                                        • Instruction ID: 0249a7a0db2c33ec71235a6fb8ab905de417229f572dbfd77ba652c3f7f886ef
                                                                        • Opcode Fuzzy Hash: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
                                                                        • Instruction Fuzzy Hash: 64F0ECA6B3C94282FB59BB64E995BB62361FFD0745F806431E55EC1864DF3CD518CB00
                                                                        Function 00007FF6415091E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                                        • String ID: EDIT
                                                                        • API String ID: 4243998846-3080729518
                                                                        • Opcode ID: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
                                                                        • Instruction ID: 858dce1837389f16e36a5de32caf747e986a64c6edae27e7e96187c9cf88008c
                                                                        • Opcode Fuzzy Hash: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
                                                                        • Instruction Fuzzy Hash: 00016DA1B1CA4381FB2ABB61A8103F66390AF99744F441031CD6DC6A78DE3CE1498B40
                                                                        Function 00007FF6414F2CE0 Relevance: 6.1, APIs: 4, Instructions: 136fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 4073 7ff6414f2ce0-7ff6414f2d0a 4074 7ff6414f2d13-7ff6414f2d1b 4073->4074 4075 7ff6414f2d0c-7ff6414f2d0e 4073->4075 4077 7ff6414f2d1d-7ff6414f2d28 GetStdHandle 4074->4077 4078 7ff6414f2d2b 4074->4078 4076 7ff6414f2ea9-7ff6414f2ec4 call 7ff641512320 4075->4076 4077->4078 4080 7ff6414f2d31-7ff6414f2d3d 4078->4080 4082 7ff6414f2d3f-7ff6414f2d44 4080->4082 4083 7ff6414f2d86-7ff6414f2da2 WriteFile 4080->4083 4084 7ff6414f2daf-7ff6414f2db3 4082->4084 4085 7ff6414f2d46-7ff6414f2d7a WriteFile 4082->4085 4086 7ff6414f2da6-7ff6414f2da9 4083->4086 4088 7ff6414f2ea2-7ff6414f2ea6 4084->4088 4089 7ff6414f2db9-7ff6414f2dbd 4084->4089 4085->4086 4087 7ff6414f2d7c-7ff6414f2d82 4085->4087 4086->4084 4086->4088 4087->4085 4091 7ff6414f2d84 4087->4091 4088->4076 4089->4088 4090 7ff6414f2dc3-7ff6414f2dd8 call 7ff6414eb4f8 4089->4090 4094 7ff6414f2e1e-7ff6414f2e6d call 7ff64151797c call 7ff6414e129c call 7ff6414ebca8 4090->4094 4095 7ff6414f2dda-7ff6414f2de1 4090->4095 4091->4086 4094->4088 4106 7ff6414f2e6f-7ff6414f2e86 4094->4106 4095->4080 4096 7ff6414f2de7-7ff6414f2de9 4095->4096 4096->4080 4098 7ff6414f2def-7ff6414f2e19 4096->4098 4098->4080 4107 7ff6414f2e9d call 7ff64151220c 4106->4107 4108 7ff6414f2e88-7ff6414f2e9b 4106->4108 4107->4088 4108->4107 4109 7ff6414f2ec5-7ff6414f2ecb call 7ff641517904 4108->4109
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: FileWrite$Handle
                                                                        • String ID:
                                                                        • API String ID: 4209713984-0
                                                                        • Opcode ID: 95d7fd16c8d926fcf5da752308064adee905e679e75eda990adbc5c1a1c917ca
                                                                        • Instruction ID: 8c505a63cf7955f38aa463a4faf43104036d5910fac18fb7916f98b7201c707a
                                                                        • Opcode Fuzzy Hash: 95d7fd16c8d926fcf5da752308064adee905e679e75eda990adbc5c1a1c917ca
                                                                        • Instruction Fuzzy Hash: 1F51D362B1D64292EB16FB25D444BBA2351FB84B90F540131EA6D87BE4DF3CE485C700
                                                                        Function 00007FF6415103E0 Relevance: 6.1, APIs: 4, Instructions: 123COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo_noreturn$TextWindow
                                                                        • String ID:
                                                                        • API String ID: 2912839123-0
                                                                        • Opcode ID: 34b731ebe9af3ba17aed105ea6cd5e0b01c3b8b12ff97f26908d03dc914b4b53
                                                                        • Instruction ID: 4d8c49ab491d400d36e1ce6658ddd365c01f63a71b45bf387194b39d8967c17b
                                                                        • Opcode Fuzzy Hash: 34b731ebe9af3ba17aed105ea6cd5e0b01c3b8b12ff97f26908d03dc914b4b53
                                                                        • Instruction Fuzzy Hash: B551AFA2F1866284FB0ABFA5D8442ED2762AF44BA4F500631DA3C97BE9DF6CD440C300
                                                                        Function 00007FF6414F3684 Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: CreateDirectory$ErrorLast_invalid_parameter_noinfo_noreturn
                                                                        • String ID:
                                                                        • API String ID: 2359106489-0
                                                                        • Opcode ID: 9d9d2995018f7f6f648ac6a5d97c5d37007cde808aee1d861722df7aa9659c46
                                                                        • Instruction ID: 8583afb856932682461eae8dc437c61803fb52622310eeb81758d90101a090b6
                                                                        • Opcode Fuzzy Hash: 9d9d2995018f7f6f648ac6a5d97c5d37007cde808aee1d861722df7aa9659c46
                                                                        • Instruction Fuzzy Hash: 6231F562A0C68281EB22BB25A6442BD6393FF887A0F544231EEADC37E4DF3CD445C700
                                                                        Function 00007FF641512D6C Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
                                                                        • String ID:
                                                                        • API String ID: 1452418845-0
                                                                        • Opcode ID: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
                                                                        • Instruction ID: 00ef615091d97af66d6dd46cfbe3a9d72e5c98b6022360350b89d18dd86ae7f7
                                                                        • Opcode Fuzzy Hash: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
                                                                        • Instruction Fuzzy Hash: A43159A5E4C20346FB5FBFA4A4113FA2B91AF41384F540434EA6ECB6F7DE6DA8058340
                                                                        Function 00007FF6414F2320 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast$FileHandleRead
                                                                        • String ID:
                                                                        • API String ID: 2244327787-0
                                                                        • Opcode ID: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
                                                                        • Instruction ID: cd30d8cbf51bf16724a65076143f14eb422800608d5d3e235cce72654987c3e8
                                                                        • Opcode Fuzzy Hash: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
                                                                        • Instruction Fuzzy Hash: 3021A462E0C55281EB61BF31A40067D63A2FB45B94F144530DA7DCAF94DF7CD8858B11
                                                                        Function 00007FF6414FE948 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00007FF6414FECD8: ResetEvent.KERNEL32 ref: 00007FF6414FECF1
                                                                          • Part of subcall function 00007FF6414FECD8: ReleaseSemaphore.KERNEL32 ref: 00007FF6414FED07
                                                                        • ReleaseSemaphore.KERNEL32 ref: 00007FF6414FE974
                                                                        • CloseHandle.KERNELBASE ref: 00007FF6414FE993
                                                                        • DeleteCriticalSection.KERNEL32 ref: 00007FF6414FE9AA
                                                                        • CloseHandle.KERNEL32 ref: 00007FF6414FE9B7
                                                                          • Part of subcall function 00007FF6414FEA5C: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF6414FE95F,?,?,?,00007FF6414F463A,?,?,?), ref: 00007FF6414FEA63
                                                                          • Part of subcall function 00007FF6414FEA5C: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF6414FE95F,?,?,?,00007FF6414F463A,?,?,?), ref: 00007FF6414FEA6E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: CloseHandleReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                                        • String ID:
                                                                        • API String ID: 502429940-0
                                                                        • Opcode ID: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
                                                                        • Instruction ID: 1366eb80ff213ff65391554c1922f8ecaeb354cf7b10aa2452f23b8d7047c77e
                                                                        • Opcode Fuzzy Hash: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
                                                                        • Instruction Fuzzy Hash: 63012D33A18A8192E749FB21E5446ADA361FB84B80F004031DB6D53665CF39E5B58B44
                                                                        Function 00007FF6414FEAA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: Thread$CreatePriority
                                                                        • String ID: CreateThread failed
                                                                        • API String ID: 2610526550-3849766595
                                                                        • Opcode ID: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
                                                                        • Instruction ID: 3f8dbf5d7b01ea700d510fea39ed106c637d3569bb648402b833bcd2ceb0bc13
                                                                        • Opcode Fuzzy Hash: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
                                                                        • Instruction Fuzzy Hash: 92118F72A0CB4291EB06FB10E8412EA7361FB84785F544531EA6D83779DF3CE695CB40
                                                                        Function 00007FF64150946C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: DirectoryInitializeMallocSystem
                                                                        • String ID: riched20.dll
                                                                        • API String ID: 174490985-3360196438
                                                                        • Opcode ID: 0d85db053d286d1bd0fa19ead2840fc3f5149c6ee0f027e6ed6c33eb2c824e37
                                                                        • Instruction ID: 9267e3f268d207d55dfdc1caf067706e8e18faa364629f8a3660a5d6d5911b14
                                                                        • Opcode Fuzzy Hash: 0d85db053d286d1bd0fa19ead2840fc3f5149c6ee0f027e6ed6c33eb2c824e37
                                                                        • Instruction Fuzzy Hash: CEF0FFB1A1CA8182EB56BF60F4552EAB7A0FB88754F440135E99D82B64DF7CE159CB00
                                                                        Function 00007FF64150095C Relevance: 4.7, APIs: 3, Instructions: 152windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00007FF64150853C: GlobalMemoryStatusEx.KERNEL32 ref: 00007FF64150856C
                                                                          • Part of subcall function 00007FF6414FAAE0: LoadStringW.USER32 ref: 00007FF6414FAB67
                                                                          • Part of subcall function 00007FF6414FAAE0: LoadStringW.USER32 ref: 00007FF6414FAB80
                                                                          • Part of subcall function 00007FF6414E1FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6414E1FFB
                                                                          • Part of subcall function 00007FF6414E129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6414E1396
                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6415101BB
                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6415101C1
                                                                        • SendDlgItemMessageW.USER32 ref: 00007FF6415101F2
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo_noreturn$LoadString$Concurrency::cancel_current_taskGlobalItemMemoryMessageSendStatus
                                                                        • String ID:
                                                                        • API String ID: 3106221260-0
                                                                        • Opcode ID: 7d1f69911a00d0741de56b49c262a8841e6eb375053cbff927e1aaae2ee712c8
                                                                        • Instruction ID: 54a0959faa35c6f8e7b68a58e76c541c4e207c0be69f0153e99d4e8c894159ec
                                                                        • Opcode Fuzzy Hash: 7d1f69911a00d0741de56b49c262a8841e6eb375053cbff927e1aaae2ee712c8
                                                                        • Instruction Fuzzy Hash: E851B3A2F5C74286FB16BBA5D8512FD2362AB89BC8F500136DE2D977E6DE2CD504C340
                                                                        Function 00007FF6414F2134 Relevance: 4.6, APIs: 3, Instructions: 114fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: CreateFile$_invalid_parameter_noinfo_noreturn
                                                                        • String ID:
                                                                        • API String ID: 2272807158-0
                                                                        • Opcode ID: 4ce248ffffd21e537046429b603db88a9fd2a3d13b10b45fb751dcef003d6319
                                                                        • Instruction ID: 04342dbaa78208d15c04da5b7fe6aa98bff881075da745621d374a5b008c3764
                                                                        • Opcode Fuzzy Hash: 4ce248ffffd21e537046429b603db88a9fd2a3d13b10b45fb751dcef003d6319
                                                                        • Instruction Fuzzy Hash: 3A41A066A0C78282EB25AB15E4446A967A2FB84BB4F105334DFBD43BD5CF3CE4908704
                                                                        Function 00007FF6414E23F8 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: TextWindow$Length_invalid_parameter_noinfo_noreturn
                                                                        • String ID:
                                                                        • API String ID: 2176759853-0
                                                                        • Opcode ID: 324ad9725680782466c8b9226039195d64c3332d7d8035b24254b52cca95445d
                                                                        • Instruction ID: bbf953cf685b3f7b415499818520e223d7112f4bfdab5bdcac3f3eeab1d51371
                                                                        • Opcode Fuzzy Hash: 324ad9725680782466c8b9226039195d64c3332d7d8035b24254b52cca95445d
                                                                        • Instruction Fuzzy Hash: 6221A2A2A1CB8181EB15FB65B9405BAA365FB89BD0F144235EBDD43BA5CF3CD190C700
                                                                        Function 00007FF641501F94 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: std::bad_alloc::bad_alloc
                                                                        • String ID:
                                                                        • API String ID: 1875163511-0
                                                                        • Opcode ID: 5d5f35b7d0b1a8ec44982466ed86c266d3277025963138b758b7e20b27780546
                                                                        • Instruction ID: cfa6d24e2f64e2a478280575a80177176def8eae88c332f8ce7ed089a2f82624
                                                                        • Opcode Fuzzy Hash: 5d5f35b7d0b1a8ec44982466ed86c266d3277025963138b758b7e20b27780546
                                                                        • Instruction Fuzzy Hash: 2A31D492A0C68651FB2AFB50E4443F967A0FB51788F044031D6AC869B5DF7CE646C302
                                                                        Function 00007FF6414F3D34 Relevance: 4.6, APIs: 3, Instructions: 62COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
                                                                        • String ID:
                                                                        • API String ID: 1203560049-0
                                                                        • Opcode ID: 523e4a483c86c9ac9ee543cf6c476d9bf2e9d6353514affc3e0f4067b8c7bc61
                                                                        • Instruction ID: 7382ca9f750a30cd44bd4d121f0895f7b34378a1957a9342bcf2a8fbdf256611
                                                                        • Opcode Fuzzy Hash: 523e4a483c86c9ac9ee543cf6c476d9bf2e9d6353514affc3e0f4067b8c7bc61
                                                                        • Instruction Fuzzy Hash: D221B863B1C68541EB26BF25E4452A96362FF88794F105230EAAD837E5DF3CD545CB00
                                                                        Function 00007FF6414F31BC Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: DeleteFile$_invalid_parameter_noinfo_noreturn
                                                                        • String ID:
                                                                        • API String ID: 3118131910-0
                                                                        • Opcode ID: 9e0f12d03b62ccef14e62e4bf3878a3457daa81ed2db8d115c48a0739d4b379d
                                                                        • Instruction ID: 9fa06b63e1f3a9e98633380fb4837f74c45b45cdbe05160d3a755fa85a5c4615
                                                                        • Opcode Fuzzy Hash: 9e0f12d03b62ccef14e62e4bf3878a3457daa81ed2db8d115c48a0739d4b379d
                                                                        • Instruction Fuzzy Hash: B821C862A1C78181EF11BB25F4452AE7361FF88B94F501231EAAE83BA5DF3CD144CB00
                                                                        Function 00007FF6414F32BC Relevance: 4.6, APIs: 3, Instructions: 57COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
                                                                        • String ID:
                                                                        • API String ID: 1203560049-0
                                                                        • Opcode ID: d981565e32c06465bb9ca9e6032df0ff87469bcd01ee0110978b6e45bf249536
                                                                        • Instruction ID: fab82215d16d689e6342f0d01037bda883731fbf53dd138ed587e4495d472039
                                                                        • Opcode Fuzzy Hash: d981565e32c06465bb9ca9e6032df0ff87469bcd01ee0110978b6e45bf249536
                                                                        • Instruction Fuzzy Hash: 84216062A1C68181EB15FB29F44516963A2FB89BA4F500231EAAD83BA9DF3CD541CB04
                                                                        Function 00007FF64151BF64 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: Process$CurrentExitTerminate
                                                                        • String ID:
                                                                        • API String ID: 1703294689-0
                                                                        • Opcode ID: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
                                                                        • Instruction ID: 7037b27cb68ad5cd2dd554737ec71260c9d0fc3abd438845f089f0a829ddec4c
                                                                        • Opcode Fuzzy Hash: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
                                                                        • Instruction Fuzzy Hash: E3E01AA5E0C30546EB5A7F7198957F927A26F88B41F144438D82A863B6CE3EA4098A00
                                                                        Function 00007FF6414EF578 Relevance: 3.2, APIs: 2, Instructions: 193COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6414EF895
                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6414EF89B
                                                                          • Part of subcall function 00007FF6414F3EC8: FindClose.KERNELBASE(?,?,00000000,00007FF641500811), ref: 00007FF6414F3EFD
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo_noreturn$CloseFind
                                                                        • String ID:
                                                                        • API String ID: 3587649625-0
                                                                        • Opcode ID: 31de71ccb13629eb4e8ff473cf0e989b9a8a473b909947ada8621b483159802c
                                                                        • Instruction ID: 3173aa5801c190af8b576114cb1bb8428cac5824d884f103ca92f41b2664ac38
                                                                        • Opcode Fuzzy Hash: 31de71ccb13629eb4e8ff473cf0e989b9a8a473b909947ada8621b483159802c
                                                                        • Instruction Fuzzy Hash: 3191AF73A1CB9190EB12FF64D4402ED6761FB84798F904136EA5C87AE9DF78D685C310
                                                                        Function 00007FF6414E3904 Relevance: 3.1, APIs: 2, Instructions: 124COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                        • String ID:
                                                                        • API String ID: 3668304517-0
                                                                        • Opcode ID: 402f2d810e1efc6a759daaa5297bed4678b331cbcfb426b8061d29b6a9ebee63
                                                                        • Instruction ID: 841a8ee39664137a9140808014c62b66a451eda2ce34fa30bbaf03f3b7046b4b
                                                                        • Opcode Fuzzy Hash: 402f2d810e1efc6a759daaa5297bed4678b331cbcfb426b8061d29b6a9ebee63
                                                                        • Instruction Fuzzy Hash: 5241DE62F1C75284FB06FBB5D4402ED2721AF44BD8F141235EE2DA7A9ACF38E5828300
                                                                        Function 00007FF6414F2778 Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetFilePointer.KERNELBASE(00000000,00000002,?,00000F99,?,00007FF6414F274D), ref: 00007FF6414F28A9
                                                                        • GetLastError.KERNEL32(?,00007FF6414F274D), ref: 00007FF6414F28B8
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorFileLastPointer
                                                                        • String ID:
                                                                        • API String ID: 2976181284-0
                                                                        • Opcode ID: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
                                                                        • Instruction ID: e9867ccd8c99c661df0e3fa466848096027860d3ad36cfd08f3739b177f109b0
                                                                        • Opcode Fuzzy Hash: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
                                                                        • Instruction Fuzzy Hash: BB31B862B1D95282EB66BB2AD540AB52391EF04BD4F140231EE2D87FA0DF3CE9418740
                                                                        Function 00007FF6414E22BC Relevance: 3.1, APIs: 2, Instructions: 83COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: Item_invalid_parameter_noinfo_noreturn
                                                                        • String ID:
                                                                        • API String ID: 1746051919-0
                                                                        • Opcode ID: 8763c555b957396376e96df864685bb2527d49eefc22d4d720e740779d29c564
                                                                        • Instruction ID: 1e8c79abd76329e8c45034463879bd9b84c838c04017f4f2ec95d6c3425338b6
                                                                        • Opcode Fuzzy Hash: 8763c555b957396376e96df864685bb2527d49eefc22d4d720e740779d29c564
                                                                        • Instruction Fuzzy Hash: 2E31CF62A1C78582EB16FF25F4453BEB361EB84B90F404231EAAC47BA5DF3CE1408B04
                                                                        Function 00007FF6414F2AD0 Relevance: 3.1, APIs: 2, Instructions: 76timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: File$BuffersFlushTime
                                                                        • String ID:
                                                                        • API String ID: 1392018926-0
                                                                        • Opcode ID: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
                                                                        • Instruction ID: 0be5d4e7d1212468958b30827047c564576a5fca3a31f3f47343dacdc58133db
                                                                        • Opcode Fuzzy Hash: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
                                                                        • Instruction Fuzzy Hash: 6121E062F0DB4A61EB67BF51D414BBA5792AF01794F154031DF5C42BA5EE3CD586C300
                                                                        Function 00007FF6414FAAE0 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: LoadString
                                                                        • String ID:
                                                                        • API String ID: 2948472770-0
                                                                        • Opcode ID: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
                                                                        • Instruction ID: eff161db8f7b10f266fe2a228454af4326df86988e97cf7dfc76e832e8371aeb
                                                                        • Opcode Fuzzy Hash: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
                                                                        • Instruction Fuzzy Hash: E5118BB1B0C61186EB0ABF16E8402A877A2BB88FC0BA44835CE2DD3731DF7CE5518344
                                                                        Function 00007FF6414F2BB0 Relevance: 3.0, APIs: 2, Instructions: 47COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorFileLastPointer
                                                                        • String ID:
                                                                        • API String ID: 2976181284-0
                                                                        • Opcode ID: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
                                                                        • Instruction ID: 20d2a2180b9f20ee711a120d2e3748e72d03bf6bb210c7ac135863aba2ff48ab
                                                                        • Opcode Fuzzy Hash: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
                                                                        • Instruction Fuzzy Hash: 1511B131A0CA8281EB62BB65E8417B96361FB44BB4F540331DA7D86BE5CF3CD992C700
                                                                        Function 00007FF6414E255C Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: ItemRectTextWindow$Clientswprintf
                                                                        • String ID:
                                                                        • API String ID: 3322643685-0
                                                                        • Opcode ID: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
                                                                        • Instruction ID: cfb83d7e5f41b621da9e4e7bae33fbdadbc27231eb13abe2f57896d5e308dd95
                                                                        • Opcode Fuzzy Hash: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
                                                                        • Instruction Fuzzy Hash: 7F017160B0D34A41FF5BB752A6587BA5391AF85748F084034C85E877EADF3CE984C300
                                                                        Function 00007FF6414FEB58 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6414FEBAD,?,?,?,?,00007FF6414F5752,?,?,?,00007FF6414F56DE), ref: 00007FF6414FEB5C
                                                                        • GetProcessAffinityMask.KERNEL32 ref: 00007FF6414FEB6F
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: Process$AffinityCurrentMask
                                                                        • String ID:
                                                                        • API String ID: 1231390398-0
                                                                        • Opcode ID: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
                                                                        • Instruction ID: 01de149d81d1feaf1cf082478e9d64dfb36679bc0e876542d6d297be52fd8459
                                                                        • Opcode Fuzzy Hash: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
                                                                        • Instruction Fuzzy Hash: BEE06561B1854A46DB5AAB55C4515E963D2BF88B40B848035D61BC3618DE2CE6458B00
                                                                        Function 00007FF6415121D0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
                                                                        • String ID:
                                                                        • API String ID: 1173176844-0
                                                                        • Opcode ID: c507040392a2377e4895e65205c3b95c5fe2146e3485fc393c80d7c2ffdcaf26
                                                                        • Instruction ID: 57419cfbf5e134f4e0f83da335dda88fff231adc37a2593ba51460a4aa51fd2d
                                                                        • Opcode Fuzzy Hash: c507040392a2377e4895e65205c3b95c5fe2146e3485fc393c80d7c2ffdcaf26
                                                                        • Instruction Fuzzy Hash: 8CE012C5E4D10B45FF2FBA7128261F80A501F69770E3C1B30DE3EC46F2AE1CA5958250
                                                                        Function 00007FF64151D90C Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorFreeHeapLast
                                                                        • String ID:
                                                                        • API String ID: 485612231-0
                                                                        • Opcode ID: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
                                                                        • Instruction ID: 51ef4a4a221726c558069ec27470f7dc9edccf150e57375d232b6a114e82d6b6
                                                                        • Opcode Fuzzy Hash: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
                                                                        • Instruction Fuzzy Hash: D0E0B6E1E4D50346FF1FBFF298492F82AD25F98B55B044434C92DCA272EF2CA8958A00
                                                                        Function 00007FF6414E33E4 Relevance: 1.8, APIs: 1, Instructions: 328COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                        • String ID:
                                                                        • API String ID: 3668304517-0
                                                                        • Opcode ID: db0f75601c8d953953658c1d14be6529ec917dbd1ad2d5887d518296e9f1c024
                                                                        • Instruction ID: 46c37a19dbc512ac4c5503f4fd4d3cde92f4c10fcbbf47cf34ecbe011ba35db7
                                                                        • Opcode Fuzzy Hash: db0f75601c8d953953658c1d14be6529ec917dbd1ad2d5887d518296e9f1c024
                                                                        • Instruction Fuzzy Hash: E7D16EB2B0C78256EB6BFB2596442B97BA1FF05B84F044435CA5D877A5CF3CE6618B00
                                                                        Function 00007FF6414F5294 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: CompareString_invalid_parameter_noinfo_noreturn
                                                                        • String ID:
                                                                        • API String ID: 1017591355-0
                                                                        • Opcode ID: fa91c3799828e3c7186940546e344b2356dc381c1e63a9425ea543ecc2eeea66
                                                                        • Instruction ID: 2058e8602bcf797aa7cb0ad11e9928ff6f1158c6968282c86debd7e292a29c61
                                                                        • Opcode Fuzzy Hash: fa91c3799828e3c7186940546e344b2356dc381c1e63a9425ea543ecc2eeea66
                                                                        • Instruction Fuzzy Hash: 6B610071F0C24781FB6BBA2988042BA5693AF41BD4F144131EE6DCBBD6EE7CE4418308
                                                                        Function 00007FF641501870 Relevance: 1.7, APIs: 1, Instructions: 172COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00007FF6414FE948: ReleaseSemaphore.KERNEL32 ref: 00007FF6414FE974
                                                                          • Part of subcall function 00007FF6414FE948: CloseHandle.KERNELBASE ref: 00007FF6414FE993
                                                                          • Part of subcall function 00007FF6414FE948: DeleteCriticalSection.KERNEL32 ref: 00007FF6414FE9AA
                                                                          • Part of subcall function 00007FF6414FE948: CloseHandle.KERNEL32 ref: 00007FF6414FE9B7
                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF641501ACB
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: CloseHandle$CriticalDeleteReleaseSectionSemaphore_invalid_parameter_noinfo_noreturn
                                                                        • String ID:
                                                                        • API String ID: 904680172-0
                                                                        • Opcode ID: f81b05313dfd5b5a73717daa6d384c08c9459244a7d30a6ec5ae517113eafb45
                                                                        • Instruction ID: 5eb99534a0ec18d871f7b209097cf7a087f50081a89a2b96a9139bc9d2383363
                                                                        • Opcode Fuzzy Hash: f81b05313dfd5b5a73717daa6d384c08c9459244a7d30a6ec5ae517113eafb45
                                                                        • Instruction Fuzzy Hash: A461BFA2B1968592EF0EFFA5D1840FC7765FB41B94B544232E73D87AE1CF28E4A08300
                                                                        Function 00007FF6414EEC9C Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                        • String ID:
                                                                        • API String ID: 3668304517-0
                                                                        • Opcode ID: d7b1a399856acf99fdb305a598bd345408e38bb8b7611d952776f17d246575aa
                                                                        • Instruction ID: 4d9681b81b1185d950ed18c41eb5c86699c345b828a4dc37d075950def29e347
                                                                        • Opcode Fuzzy Hash: d7b1a399856acf99fdb305a598bd345408e38bb8b7611d952776f17d246575aa
                                                                        • Instruction Fuzzy Hash: 2E51CDA2A0C78290EB16FB29E4443A92752FB85BD4F440132EF5D977A6DF3DE685C340
                                                                        Function 00007FF6414EE7A8 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00007FF6414F3EC8: FindClose.KERNELBASE(?,?,00000000,00007FF641500811), ref: 00007FF6414F3EFD
                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6414EE993
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: CloseFind_invalid_parameter_noinfo_noreturn
                                                                        • String ID:
                                                                        • API String ID: 1011579015-0
                                                                        • Opcode ID: e982e273b1865209a75a3cfd535ad9023e3388265a11ab7418cbf5dec2d39955
                                                                        • Instruction ID: 0a9ad7ee182b9b304fa6cd0171924f775e1ba548f9e4a0859b020e595a050349
                                                                        • Opcode Fuzzy Hash: e982e273b1865209a75a3cfd535ad9023e3388265a11ab7418cbf5dec2d39955
                                                                        • Instruction Fuzzy Hash: 47516C62B0C78681FB62FF65E4453AD23A1FF84B84F540236EA9D976A6CF2CD641C710
                                                                        Function 00007FF6414F1794 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                        • String ID:
                                                                        • API String ID: 3668304517-0
                                                                        • Opcode ID: 9385cba53fa6208ca460e05f3a710e61ac95cb77221bf3bd1eb05f532c4ae120
                                                                        • Instruction ID: 8a9aabe5ddfcde80bfa33bf49349099902dedddda1be561de6b8e437ac00f131
                                                                        • Opcode Fuzzy Hash: 9385cba53fa6208ca460e05f3a710e61ac95cb77221bf3bd1eb05f532c4ae120
                                                                        • Instruction Fuzzy Hash: B241F762F1CB8142EB16BA17AA0037AA652FB44FC0F448535EE6D8BF5ADF3CD4518340
                                                                        Function 00007FF6414F2F58 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                        • String ID:
                                                                        • API String ID: 3668304517-0
                                                                        • Opcode ID: c12ddbc590a903591de313708f19a8cb728d3d3f41945339a7b2dbf0642da7e2
                                                                        • Instruction ID: 8ad64c9cd81d12e6cd9fb14c009935b34a75c02cb05c1a815dbf9250c3475755
                                                                        • Opcode Fuzzy Hash: c12ddbc590a903591de313708f19a8cb728d3d3f41945339a7b2dbf0642da7e2
                                                                        • Instruction Fuzzy Hash: 6A41F4A2A1CB0580EF16BF29E64537923A2EB84BD8F141135EA6D877ADDF3DE440C700
                                                                        Function 00007FF64151BDF8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: HandleModule$AddressFreeLibraryProc
                                                                        • String ID:
                                                                        • API String ID: 3947729631-0
                                                                        • Opcode ID: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
                                                                        • Instruction ID: 4cb3131cb2b4bf266a644c9ef816cb56ce3ed61b78fe6abaa4b1d092e49969d3
                                                                        • Opcode Fuzzy Hash: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
                                                                        • Instruction Fuzzy Hash: AC41C0A2E1D64286FB2FBF5498502F82AB1AF54B40F484536DA2DC76B1CF3DE841C740
                                                                        Function 00007FF6414E129C Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: Concurrency::cancel_current_taskstd::bad_alloc::bad_alloc
                                                                        • String ID:
                                                                        • API String ID: 680105476-0
                                                                        • Opcode ID: ae4aa31824b7da0d77a8f4b9fb7a8218d847e075a5624bc92285f3cd7a959bae
                                                                        • Instruction ID: 943bc3df16e00922fe01510ab70f10d9bd3348cea8ab1510d1059338964053c7
                                                                        • Opcode Fuzzy Hash: ae4aa31824b7da0d77a8f4b9fb7a8218d847e075a5624bc92285f3cd7a959bae
                                                                        • Instruction Fuzzy Hash: C221AC62A4C75185EB16FF92A4002B96650AB04FF0F680B30DE7E8BBD1DF7CE6918340
                                                                        Function 00007FF64152124C Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo
                                                                        • String ID:
                                                                        • API String ID: 3215553584-0
                                                                        • Opcode ID: 9dd5a9e84c18447e56e2265fa04046f11d37b96b7f5b774ce3305aa6458b3f00
                                                                        • Instruction ID: 3e8a6b5526c9cf00f3ae27fe4ed67eb9274d8f8e0539522d312f70fda186baad
                                                                        • Opcode Fuzzy Hash: 9dd5a9e84c18447e56e2265fa04046f11d37b96b7f5b774ce3305aa6458b3f00
                                                                        • Instruction Fuzzy Hash: 9F118EF2D0C68286F71ABF91A4802FA76A4FB45380F550135FAADC76A9DF3CE4108B04
                                                                        Function 00007FF64150FC68 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00007FF64150F0A4: GetDlgItem.USER32 ref: 00007FF64150F0E3
                                                                          • Part of subcall function 00007FF64150F0A4: ShowWindow.USER32 ref: 00007FF64150F109
                                                                          • Part of subcall function 00007FF64150F0A4: SendMessageW.USER32 ref: 00007FF64150F11E
                                                                          • Part of subcall function 00007FF64150F0A4: SendMessageW.USER32 ref: 00007FF64150F136
                                                                          • Part of subcall function 00007FF64150F0A4: SendMessageW.USER32 ref: 00007FF64150F157
                                                                          • Part of subcall function 00007FF64150F0A4: SendMessageW.USER32 ref: 00007FF64150F173
                                                                          • Part of subcall function 00007FF64150F0A4: SendMessageW.USER32 ref: 00007FF64150F1B6
                                                                          • Part of subcall function 00007FF64150F0A4: SendMessageW.USER32 ref: 00007FF64150F1D4
                                                                          • Part of subcall function 00007FF64150F0A4: SendMessageW.USER32 ref: 00007FF64150F1E8
                                                                          • Part of subcall function 00007FF64150F0A4: SendMessageW.USER32 ref: 00007FF64150F212
                                                                          • Part of subcall function 00007FF64150F0A4: SendMessageW.USER32 ref: 00007FF64150F22A
                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64150FD03
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$ItemShowWindow_invalid_parameter_noinfo_noreturn
                                                                        • String ID:
                                                                        • API String ID: 1587882848-0
                                                                        • Opcode ID: 98356bcfc0f9eb0b54ad4562f3e8dfcdedede25df190cb48db04b7e24fbe0ebe
                                                                        • Instruction ID: d2a8525b32a2f4bc52653d83944cf74ed620e7ed3782b89d00d1ec96be7fb4b3
                                                                        • Opcode Fuzzy Hash: 98356bcfc0f9eb0b54ad4562f3e8dfcdedede25df190cb48db04b7e24fbe0ebe
                                                                        • Instruction Fuzzy Hash: 5401CCD2E1C68542EB16BB64D4463FD6711FFC9794F504331EABD866E5DF2CD1408604
                                                                        Function 00007FF6414E3AD8 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                        • String ID:
                                                                        • API String ID: 3668304517-0
                                                                        • Opcode ID: dd833eb704b03c62a36fea145c0b0b4abee32047d89ef2e694e61e0216d7ee09
                                                                        • Instruction ID: 792c0fde2304c43421769c89f2b197d97100fbed9377d669be38972af772a78a
                                                                        • Opcode Fuzzy Hash: dd833eb704b03c62a36fea145c0b0b4abee32047d89ef2e694e61e0216d7ee09
                                                                        • Instruction Fuzzy Hash: 3801C4A2E1C78545EF17FB28E4412AD7362FF89790F505231E6AD47BA6DF2CD1408704
                                                                        Function 00007FF641511558 Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00007FF641511604: GetModuleHandleW.KERNEL32(?,?,?,00007FF641511573,?,?,?,00007FF64151192A), ref: 00007FF64151162B
                                                                        • DloadProtectSection.DELAYIMP ref: 00007FF6415115C9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: DloadHandleModuleProtectSection
                                                                        • String ID:
                                                                        • API String ID: 2883838935-0
                                                                        • Opcode ID: 908f49ac33541a8240f4269ada82e733cc5c0c647bda27ab8868a2cee9a60ef3
                                                                        • Instruction ID: c1268b9b29ec020ca08aa7a9cb809213904f3e160d80251caa0a63a3aa6be32a
                                                                        • Opcode Fuzzy Hash: 908f49ac33541a8240f4269ada82e733cc5c0c647bda27ab8868a2cee9a60ef3
                                                                        • Instruction Fuzzy Hash: 2111BEE1E4C50751FB5FBFA5A8803F02790AF14748F140474C92DC63B6EF3CA4A59A40
                                                                        Function 00007FF6414F3EC8 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00007FF6414F40BC: FindFirstFileW.KERNELBASE ref: 00007FF6414F410B
                                                                          • Part of subcall function 00007FF6414F40BC: FindFirstFileW.KERNEL32 ref: 00007FF6414F415E
                                                                          • Part of subcall function 00007FF6414F40BC: GetLastError.KERNEL32 ref: 00007FF6414F41AF
                                                                        • FindClose.KERNELBASE(?,?,00000000,00007FF641500811), ref: 00007FF6414F3EFD
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: Find$FileFirst$CloseErrorLast
                                                                        • String ID:
                                                                        • API String ID: 1464966427-0
                                                                        • Opcode ID: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
                                                                        • Instruction ID: ee95db502b2a827ef72b64c9702feea78409dd2cb28bdd6f4f9387ca823e010b
                                                                        • Opcode Fuzzy Hash: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
                                                                        • Instruction Fuzzy Hash: 2DF0A46290C24185DB11FB75A2001B93761DB15BB4F141374EA7D473C7CE2CD444C755
                                                                        Function 00007FF6414F273C Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: File
                                                                        • String ID:
                                                                        • API String ID: 749574446-0
                                                                        • Opcode ID: 182d9e1e92039184aab4081fafd09b1cf385b4bd914a3c272b872952a66d9790
                                                                        • Instruction ID: 2cc007a89fb7c710b6af87a0f6a90430b2aa8da717082c422324a8f9a4ca4048
                                                                        • Opcode Fuzzy Hash: 182d9e1e92039184aab4081fafd09b1cf385b4bd914a3c272b872952a66d9790
                                                                        • Instruction Fuzzy Hash: 87E0C252B2851582EF25BB7AC842AB813A1EF8CF84B481030CE1C87731CF2CD4818B00
                                                                        Function 00007FF6414F2490 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: FileType
                                                                        • String ID:
                                                                        • API String ID: 3081899298-0
                                                                        • Opcode ID: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
                                                                        • Instruction ID: a01166820b38cfac6b722e0c0cd89c67b9309f36afe5b03b448b019fa3edbcfa
                                                                        • Opcode Fuzzy Hash: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
                                                                        • Instruction Fuzzy Hash: 3BD02212D0D80082DF00B7359C4107C2360AF82338FA00330C23EC1BE1CE1CD086AB01
                                                                        Function 00007FF6414F7FC4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: CurrentDirectory
                                                                        • String ID:
                                                                        • API String ID: 1611563598-0
                                                                        • Opcode ID: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
                                                                        • Instruction ID: 5c4431739dececfd56b1f95e6433bd4d03ebe2ffd9161a569003bbe196fd617f
                                                                        • Opcode Fuzzy Hash: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
                                                                        • Instruction Fuzzy Hash: 81C08C21F09502C1DB087B26C8C905813A5BB50B05B708034C11CC1230CE2CC5EA9749
                                                                        Function 00007FF64151FA04 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: AllocHeap
                                                                        • String ID:
                                                                        • API String ID: 4292702814-0
                                                                        • Opcode ID: c4d23aaef5024e3722ccbb242168b3e22d65bf63548bcaacbbf61b8d0a3ba7a1
                                                                        • Instruction ID: 6eabfd70805218b8be651dbcc1aa6fdbe63d1da3f147e9064ca1e31a1cc23720
                                                                        • Opcode Fuzzy Hash: c4d23aaef5024e3722ccbb242168b3e22d65bf63548bcaacbbf61b8d0a3ba7a1
                                                                        • Instruction Fuzzy Hash: 4BF049D2F0D2074AFF5FBF6199113F41A905F89B90F0C5432C92ECA3A1EE6CA6898210
                                                                        Function 00007FF64151D94C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: AllocHeap
                                                                        • String ID:
                                                                        • API String ID: 4292702814-0
                                                                        • Opcode ID: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
                                                                        • Instruction ID: 6c70dd6b537610ef385d4716ca6d26b6c446c0f14118a2c4f1d3e64f3377a8fd
                                                                        • Opcode Fuzzy Hash: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
                                                                        • Instruction Fuzzy Hash: 1AF0D491F0D24645FF6F7FA158592F92A925F887A0F085A30D97EC62E1DE2CA4808610
                                                                        Function 00007FF6414F20D0 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: CloseHandle
                                                                        • String ID:
                                                                        • API String ID: 2962429428-0
                                                                        • Opcode ID: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
                                                                        • Instruction ID: 13e36b74ad1976b903104aa956edc4534966a954ae733ca13d3c409ae96dbcaf
                                                                        • Opcode Fuzzy Hash: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
                                                                        • Instruction Fuzzy Hash: 4EF0C226A0C68295FB26FB30E1417B92762EB14B78F584334D73D816D4CF28D895C708

                                                                        Non-executed Functions

                                                                        Function 00007FF6414EC2F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 754fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo_noreturn$CloseErrorFileHandleLastwcscpy$ControlCreateCurrentDeleteDeviceDirectoryProcessRemove
                                                                        • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                        • API String ID: 2659423929-3508440684
                                                                        • Opcode ID: 133043678a36d966ba880c912d6856c5696a7c6c433e50d223eb52f27bd95b56
                                                                        • Instruction ID: 08fc3d66d602974f6e3fd2574e56cac080733fb5836f1771393c80aa9508bdb5
                                                                        • Opcode Fuzzy Hash: 133043678a36d966ba880c912d6856c5696a7c6c433e50d223eb52f27bd95b56
                                                                        • Instruction Fuzzy Hash: 0E628EA2F1C74285FB06FBB4D4442ED2761AB857A4F504231DA6D97AEADF3CE685C300
                                                                        Function 00007FF6414FF180 Relevance: 43.2, APIs: 22, Strings: 2, Instructions: 1205COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo_noreturn$ErrorLastLoadString$Concurrency::cancel_current_taskInit_thread_footer
                                                                        • String ID: %ls$%s: %s
                                                                        • API String ID: 2539828978-2259941744
                                                                        • Opcode ID: 945c123c5738f6103966ecffbffa27c83b3bf35cf43ea0aac1725ee40d95c140
                                                                        • Instruction ID: e54cd58602da732e30bf7dbce4fb816e291c698c92e23809ef95b94f908221eb
                                                                        • Opcode Fuzzy Hash: 945c123c5738f6103966ecffbffa27c83b3bf35cf43ea0aac1725ee40d95c140
                                                                        • Instruction Fuzzy Hash: 71B2C5A2E5C68241EB16BB69E4541FA6712EFC67D4F104236E6AD83BF6EF2CD140C704
                                                                        Function 00007FF641522550 Relevance: 22.3, APIs: 8, Strings: 4, Instructions: 1310COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfomemcpy_s
                                                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                        • API String ID: 1759834784-2761157908
                                                                        • Opcode ID: c1568b5568d689d261f1f0b975b9c1104ab10acfc5286cd5346a40821ab4f9bc
                                                                        • Instruction ID: 1f3c83ebd93cd61d8572d8f7e2b0e789751393a27443dcc36dad563ee003871a
                                                                        • Opcode Fuzzy Hash: c1568b5568d689d261f1f0b975b9c1104ab10acfc5286cd5346a40821ab4f9bc
                                                                        • Instruction Fuzzy Hash: 11B2F8B7E0C1828AE76ABF65D5406F937A1FB48788F105535DA2A97BA4DF38E5048F00
                                                                        Function 00007FF6414F1A48 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 375fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: NamePath$File_invalid_parameter_noinfo_noreturn$LongMoveShort$CompareCreateString
                                                                        • String ID: rtmp
                                                                        • API String ID: 3587137053-870060881
                                                                        • Opcode ID: 3dcc5890c2e22e4a5feb2ae31f1f4ae3f3b67a4ee4a7a529d594af89e49fc87b
                                                                        • Instruction ID: 9c03227dfe4056319e4552b6b539a537953c41e5e1bb22299229e0362b188509
                                                                        • Opcode Fuzzy Hash: 3dcc5890c2e22e4a5feb2ae31f1f4ae3f3b67a4ee4a7a529d594af89e49fc87b
                                                                        • Instruction Fuzzy Hash: 1AF1C062B0CB8285EB11FB65D4901FE67A2EB95BD4F500132EA5D83BA9DF3CD584C740
                                                                        Function 00007FF6414F5B60 Relevance: 12.3, APIs: 8, Instructions: 256COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: FullNamePath_invalid_parameter_noinfo_noreturn
                                                                        • String ID:
                                                                        • API String ID: 1693479884-0
                                                                        • Opcode ID: 35b10314ce3b8e4c64707b679fc70269f3b9094245ec8e91ba41ccecbc270bb7
                                                                        • Instruction ID: c4c92b12a6770d14414b91c020f29c940cb1c0b0aacfe8664998f7f714330349
                                                                        • Opcode Fuzzy Hash: 35b10314ce3b8e4c64707b679fc70269f3b9094245ec8e91ba41ccecbc270bb7
                                                                        • Instruction Fuzzy Hash: 00A1A272F19B5285FF16FBB998441BC2362AB45BA4B144235DE3E9BBD9DE3CE0418304
                                                                        Function 00007FF641513170 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                        • String ID:
                                                                        • API String ID: 3140674995-0
                                                                        • Opcode ID: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
                                                                        • Instruction ID: 68342f550446e910ac47df00a9aef19765e8b296258526e1af6329455ded3fa4
                                                                        • Opcode Fuzzy Hash: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
                                                                        • Instruction Fuzzy Hash: 6D3172B3A08B818AEB65AF60E8503ED37A4FB94744F444039DA9D87BA8DF3CD548C700
                                                                        Function 00007FF6415176D8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                        • String ID:
                                                                        • API String ID: 1239891234-0
                                                                        • Opcode ID: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
                                                                        • Instruction ID: e2412dcaed95aad15355aa40e0415925f362375bba7a004105461ea18a4e2d65
                                                                        • Opcode Fuzzy Hash: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
                                                                        • Instruction Fuzzy Hash: C1319472A08B8186D766EF65E8402EE77A4FB84754F540135EEAD83B68DF3CC145CB00
                                                                        Function 00007FF6414E1AA4 Relevance: 6.3, APIs: 4, Instructions: 285COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                        • String ID:
                                                                        • API String ID: 3668304517-0
                                                                        • Opcode ID: c264b490cac148f64dd39c131735208f64494c1dc21ecf378d5d3bcbd534f5da
                                                                        • Instruction ID: 3465d4fbf7cae6f73be4bfc6ba5607b53c7483edafdc17f443c2f9a291dec5f4
                                                                        • Opcode Fuzzy Hash: c264b490cac148f64dd39c131735208f64494c1dc21ecf378d5d3bcbd534f5da
                                                                        • Instruction Fuzzy Hash: CBB1DF62F5878685EB16FB65D8402ED2361FB89B94F401231EA5D83BA9DF3CE640C300
                                                                        Function 00007FF64151FA94 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _invalid_parameter_noinfo.LIBCMT ref: 00007FF64151FAC4
                                                                          • Part of subcall function 00007FF641517934: GetCurrentProcess.KERNEL32(00007FF641520CCD), ref: 00007FF641517961
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: CurrentProcess_invalid_parameter_noinfo
                                                                        • String ID: *?$.
                                                                        • API String ID: 2518042432-3972193922
                                                                        • Opcode ID: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
                                                                        • Instruction ID: 5ca24cb1d1aec232279f6e700420a687df32b69ccb1760cf7744a4e85f3c3075
                                                                        • Opcode Fuzzy Hash: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
                                                                        • Instruction Fuzzy Hash: 9C51E1A2F18A9581EB1BFFA298104F86BA5FB48BD8B444532DE2D47B94DF3CD4468300
                                                                        Function 00007FF641522080 Relevance: 4.8, APIs: 3, Instructions: 340COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: memcpy_s
                                                                        • String ID:
                                                                        • API String ID: 1502251526-0
                                                                        • Opcode ID: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
                                                                        • Instruction ID: 5f4412049404d7c66715cf408500d3bb388a7552c39501da17150521d184dd35
                                                                        • Opcode Fuzzy Hash: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
                                                                        • Instruction Fuzzy Hash: BCD1CF76B1C28287DB29EF15B1846EAB7A1FB98784F148534CB5E97B54DE3CE841CB00
                                                                        Function 00007FF6414EB6D8 Relevance: 4.5, APIs: 3, Instructions: 36windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorFormatFreeLastLocalMessage
                                                                        • String ID:
                                                                        • API String ID: 1365068426-0
                                                                        • Opcode ID: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
                                                                        • Instruction ID: 82400ac47528959c697ebe0f2f484f5d520757b99762aa6aa96e35882fc86d01
                                                                        • Opcode Fuzzy Hash: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
                                                                        • Instruction Fuzzy Hash: E501627260C74282E715BF62B8501BA6391FB89BC0F084034EA9D87B55DF3CD6048B04
                                                                        Function 00007FF64151FCA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: .
                                                                        • API String ID: 0-248832578
                                                                        • Opcode ID: 7c9d8364e7b62915daf92aecf888b4814fe01b6aae5fc02ec6e7aa2f3019df5b
                                                                        • Instruction ID: bf3eefc607ec19e97e5b7fd02d5c3ec6706242153ce501498971333b95b5acb8
                                                                        • Opcode Fuzzy Hash: 7c9d8364e7b62915daf92aecf888b4814fe01b6aae5fc02ec6e7aa2f3019df5b
                                                                        • Instruction Fuzzy Hash: FD3125A2F0C68049EB66BE2698047F96A91AB84FE4F048335DE7C87BE5CE3CD5058300
                                                                        Function 00007FF641525AF8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: ExceptionRaise_clrfp
                                                                        • String ID:
                                                                        • API String ID: 15204871-0
                                                                        • Opcode ID: 131550a8e914c8a4384a7255cc8ec53066b4dff0b7ecc1394be8dfb6b4310eca
                                                                        • Instruction ID: ce8ef5752aad9112fcaf59cfd99f68018f1795627b7e5a165cbee904128f815e
                                                                        • Opcode Fuzzy Hash: 131550a8e914c8a4384a7255cc8ec53066b4dff0b7ecc1394be8dfb6b4310eca
                                                                        • Instruction Fuzzy Hash: 6CB13CB3618B858BEB1AEF29C8453E87BA0F744B58F158921DA6D877B4CF39D451CB00
                                                                        Function 00007FF641508DF4 Relevance: 3.2, APIs: 2, Instructions: 186COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: ObjectRelease$CapsDevice
                                                                        • String ID:
                                                                        • API String ID: 1061551593-0
                                                                        • Opcode ID: 68dbe16693602acb82a0a9c061fd0d735b77194d41f4ab9e90264308bb487059
                                                                        • Instruction ID: 3a477f9b2a3166e21849eb80f422f85f3451564e6570a8483ec33e56e557bdb3
                                                                        • Opcode Fuzzy Hash: 68dbe16693602acb82a0a9c061fd0d735b77194d41f4ab9e90264308bb487059
                                                                        • Instruction Fuzzy Hash: 49812BB6B58A058AEB25EFAAD4406ED3771FB88B88F004122DE1D97768DF3CE545C740
                                                                        Function 00007FF64150A2CC Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: FormatInfoLocaleNumber
                                                                        • String ID:
                                                                        • API String ID: 2169056816-0
                                                                        • Opcode ID: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
                                                                        • Instruction ID: d630222901f91dd30150f7a67e97a16053f67058ae5925c6f6e02935b45587d3
                                                                        • Opcode Fuzzy Hash: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
                                                                        • Instruction Fuzzy Hash: BC116D72A1CB8595E766AF51F8003E97360FF88B44F844135DA9D83A64DF3CD156C748
                                                                        Function 00007FF6414F126C Relevance: 1.7, APIs: 1, Instructions: 241COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00007FF6414F24C0: CreateFileW.KERNELBASE ref: 00007FF6414F259B
                                                                          • Part of subcall function 00007FF6414F24C0: GetLastError.KERNEL32 ref: 00007FF6414F25AE
                                                                          • Part of subcall function 00007FF6414F24C0: CreateFileW.KERNEL32 ref: 00007FF6414F260E
                                                                          • Part of subcall function 00007FF6414F24C0: GetLastError.KERNEL32 ref: 00007FF6414F2617
                                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6414F15D0
                                                                          • Part of subcall function 00007FF6414F3980: MoveFileW.KERNEL32 ref: 00007FF6414F39BD
                                                                          • Part of subcall function 00007FF6414F3980: MoveFileW.KERNEL32 ref: 00007FF6414F3A34
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: File$CreateErrorLastMove$_invalid_parameter_noinfo_noreturn
                                                                        • String ID:
                                                                        • API String ID: 34527147-0
                                                                        • Opcode ID: a3f7aeee67f5c6efee88f6f2c4f2f574ca9db3d7719bf1359f9a84a60e1a1e68
                                                                        • Instruction ID: e3b6d3c346799df705bd5aea0f6692237be2986ca5e0968d40082cd8703bece8
                                                                        • Opcode Fuzzy Hash: a3f7aeee67f5c6efee88f6f2c4f2f574ca9db3d7719bf1359f9a84a60e1a1e68
                                                                        • Instruction Fuzzy Hash: F091DD62B2CA4682EB12FB62D4446AE6362FB94FC8F441032EE1D97B95DF3CD545C700
                                                                        Function 00007FF6414F51A4 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: Version
                                                                        • String ID:
                                                                        • API String ID: 1889659487-0
                                                                        • Opcode ID: 6220f8f0736b52f52a4f9f0684f7fcd1da0b773ba531a70ae5974f71c0de4052
                                                                        • Instruction ID: ab5d51880e707b7d745ea5895d62177f01965795af25f37c980c285aee1df1f1
                                                                        • Opcode Fuzzy Hash: 6220f8f0736b52f52a4f9f0684f7fcd1da0b773ba531a70ae5974f71c0de4052
                                                                        • Instruction Fuzzy Hash: BF01D7B5D0C5468AE76ABB10E8517BA73A2BB98314F600234E66D877A4DF3CE4058F04
                                                                        Function 00007FF641518C1C Relevance: 1.5, Strings: 1, Instructions: 219COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo
                                                                        • String ID: 0
                                                                        • API String ID: 3215553584-4108050209
                                                                        • Opcode ID: 0fbd957179d89af9e1d3453d65279f22830f04fe064c784c04e338e6c7bf3646
                                                                        • Instruction ID: 22c6175987a8c5d061fa47c3721a455f015975ae23b8c7c101c8879f8e06ef4e
                                                                        • Opcode Fuzzy Hash: 0fbd957179d89af9e1d3453d65279f22830f04fe064c784c04e338e6c7bf3646
                                                                        • Instruction Fuzzy Hash: 2581F3A2E5C24246EBBFBE1580806FD2B91EF51748F941531DD29CBAB9CF2DE846C740
                                                                        Function 00007FF6415189A0 Relevance: 1.4, Strings: 1, Instructions: 199COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo
                                                                        • String ID: 0
                                                                        • API String ID: 3215553584-4108050209
                                                                        • Opcode ID: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
                                                                        • Instruction ID: ef09811cd680cb8675fad295b006dd3e99ca5f32cb13625e022ea1914339c459
                                                                        • Opcode Fuzzy Hash: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
                                                                        • Instruction Fuzzy Hash: B171F5E2E8C24247EB7FBE2940802FD2F91AF41754F181931DD29C76BACE6DE8468741
                                                                        Function 00007FF6414FC96C Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: gj
                                                                        • API String ID: 0-4203073231
                                                                        • Opcode ID: 226aa63bfce789330e15763d8953fb7d553c3450d9c1aa6f260de1088bdface5
                                                                        • Instruction ID: c87e5df803348fc6bb7d6f3a3c9d7fcc4597ce6de5aecb979618ef9fcbe31461
                                                                        • Opcode Fuzzy Hash: 226aa63bfce789330e15763d8953fb7d553c3450d9c1aa6f260de1088bdface5
                                                                        • Instruction Fuzzy Hash: EF519137B286908BD715CF25E400A9E73A5F388758F445126EF5A93B05CF39E945CF40
                                                                        Function 00007FF64151C838 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @
                                                                        • API String ID: 0-2766056989
                                                                        • Opcode ID: 49e7fa989fc271adaa8e130b28d1cae0d9f82f392019a5f874cdac11a507a941
                                                                        • Instruction ID: 56b169c21e3add78690791cb7e07bdc5d6ff8e334d4d3c6b8543e6c8cb182ce5
                                                                        • Opcode Fuzzy Hash: 49e7fa989fc271adaa8e130b28d1cae0d9f82f392019a5f874cdac11a507a941
                                                                        • Instruction Fuzzy Hash: 8B41B0A2B18B5886EB09EF2AD4552E977A1A758FD0B499036DE2DC7764DE3DD042C300
                                                                        Function 00007FF641520D20 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: HeapProcess
                                                                        • String ID:
                                                                        • API String ID: 54951025-0
                                                                        • Opcode ID: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
                                                                        • Instruction ID: 49afc5d2a900ef837da8462514e404d33abeb687a98edcc87e7583bb47ec9a02
                                                                        • Opcode Fuzzy Hash: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
                                                                        • Instruction Fuzzy Hash: 98B09260E1BA02C2EB0EBB556C823D822E4BF58700F948038C11C81330DE3C20B54B00
                                                                        Function 00007FF641503964 Relevance: .9, Instructions: 931COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 93e830777a8553980f5fe243353a36f6d8d27a5fc8052bc9569f2c684e316ecf
                                                                        • Instruction ID: f9dc06a4ef4e784279c048522d6472168fbda432782f90c2a17b663ebfea6243
                                                                        • Opcode Fuzzy Hash: 93e830777a8553980f5fe243353a36f6d8d27a5fc8052bc9569f2c684e316ecf
                                                                        • Instruction Fuzzy Hash: 4A8208A3A0D6C18AD75AEFA4D5042FC3F61E756B88F198136CA6E873A6DE3CD445C310
                                                                        Function 00007FF6414E76C0 Relevance: .9, Instructions: 893COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
                                                                        • Instruction ID: 1acb6736070106712280696a532f9efeb663fd164873568d9f24118cd2774e55
                                                                        • Opcode Fuzzy Hash: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
                                                                        • Instruction Fuzzy Hash: 1B627F9AD3AF9A1EE303A53954131D2E35C0EF74C9551E31BFCE431E66EB92A6832314
                                                                        Function 00007FF6415053F0 Relevance: .9, Instructions: 891COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 569adc29ececf777b1726fc3f5cd67d4b9927b4b604ee9515eb09b13eba64041
                                                                        • Instruction ID: 8f74d39216e698f698e93f90054f8cb88d92e8ecda087f5775238d759f1b2ba1
                                                                        • Opcode Fuzzy Hash: 569adc29ececf777b1726fc3f5cd67d4b9927b4b604ee9515eb09b13eba64041
                                                                        • Instruction Fuzzy Hash: D88211B3A1D6C18AD71AEE68D4046FC7B61F753B48F098236CA6D877A5CE3C9885C710
                                                                        Function 00007FF6414FBB90 Relevance: .6, Instructions: 587COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ffdf8f5a64276e3eb417e3b9ae5b43350349d41efb04db03fca9f8ba9e24336f
                                                                        • Instruction ID: c9d7295b54bc05676d8de37bd4e7d476966498fcc1d71ba157f189691819ab7b
                                                                        • Opcode Fuzzy Hash: ffdf8f5a64276e3eb417e3b9ae5b43350349d41efb04db03fca9f8ba9e24336f
                                                                        • Instruction Fuzzy Hash: C722E3B3B246508BD728CF25C89AE5E3766F799744B4B8228DF0ACB785DB38D505CB40
                                                                        Function 00007FF641504B98 Relevance: .6, Instructions: 578COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 21143e83615dcc23e36b64f0d60848ac948cba63854c17a605a1a3ec217f9251
                                                                        • Instruction ID: bf565655519f9af332eaa389a9140642a25a49c43042c72626272b06c3ca3921
                                                                        • Opcode Fuzzy Hash: 21143e83615dcc23e36b64f0d60848ac948cba63854c17a605a1a3ec217f9251
                                                                        • Instruction Fuzzy Hash: E732F0B2A181818BE71EEF24D550AFC3BA1F756B08F058139DA6A87B95DF3CE850C740
                                                                        Function 00007FF6414E7288 Relevance: .3, Instructions: 294COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 063370d9e2e9571dc593e8358d008e0ec5385ad0435e9f2f5019d46da215c13b
                                                                        • Instruction ID: 97bf43d9375b0a53e414265125946d8f1522b19335c826e646e19050f89831e7
                                                                        • Opcode Fuzzy Hash: 063370d9e2e9571dc593e8358d008e0ec5385ad0435e9f2f5019d46da215c13b
                                                                        • Instruction Fuzzy Hash: 65C19CB7B281908FE351CF7AE400A9D3BB1F39878CB519125DF59A3B09D639E645CB40
                                                                        Function 00007FF641502D58 Relevance: .3, Instructions: 268COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 602477e063b5c1ca901f2159ae3c7fc010244aaa433e93e1960e83d539d05e76
                                                                        • Instruction ID: f3bbd8bdf44a15809f56787a76592f115a37d43190fbd29a5fdf155a3bf77989
                                                                        • Opcode Fuzzy Hash: 602477e063b5c1ca901f2159ae3c7fc010244aaa433e93e1960e83d539d05e76
                                                                        • Instruction Fuzzy Hash: 0EA149B3A0C1824AEB2BFA64E4047FD2B91EB9278CF554535DA6D87795DE3CE881C700
                                                                        Function 00007FF6414FAF18 Relevance: .2, Instructions: 244COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e3f156a61251d3696a660eff3e2c5499dd818c979554cbf7ea7c30eccab92618
                                                                        • Instruction ID: 50ec38019b06aaf92d26662f3db98e44a6da60da162d9780a4f9933246147cd9
                                                                        • Opcode Fuzzy Hash: e3f156a61251d3696a660eff3e2c5499dd818c979554cbf7ea7c30eccab92618
                                                                        • Instruction Fuzzy Hash: C2C1E677B291E04DE302CBB5A4248FD3FF2E71E34DB4A4151EFA666B4AD6285201DF60
                                                                        Function 00007FF6414EA310 Relevance: .2, Instructions: 230COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc
                                                                        • String ID:
                                                                        • API String ID: 190572456-0
                                                                        • Opcode ID: ba0d91b71a6ba36ace61fab0c0f7d4922daa1e3f8d028e3e8b3457ff5b2a4fa0
                                                                        • Instruction ID: d000bfb3791468e54e4108d780a9a14c9754b909a4ea31ac947ccbe05c2ee5d6
                                                                        • Opcode Fuzzy Hash: ba0d91b71a6ba36ace61fab0c0f7d4922daa1e3f8d028e3e8b3457ff5b2a4fa0
                                                                        • Instruction Fuzzy Hash: 2A91EE62B1C68196EB12FF29D4516ED6721FF95788F441031EE4E87B99EF38E64AC300
                                                                        Function 00007FF6414FB534 Relevance: .2, Instructions: 181COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: cfd80b8924012b3a81ce264cde7180753b201b1e387c519ebd9873ce58afa85e
                                                                        • Instruction ID: 697c740dd57a0187ea56773f2651ddf285b0c825a03019137309f74ee13df5ee
                                                                        • Opcode Fuzzy Hash: cfd80b8924012b3a81ce264cde7180753b201b1e387c519ebd9873ce58afa85e
                                                                        • Instruction Fuzzy Hash: 77611362B1C1D549EB02EF7585044FD7FA2AB0A788B498032CEAE97746CE3CE506CB14
                                                                        Function 00007FF6415021D0 Relevance: .1, Instructions: 137COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8137a9b05b05aada6fbcd6bbdda66db02b1ef4637fe403d2df7c72722ebbdea5
                                                                        • Instruction ID: 392f1259a58cdf7a4e33bb3504c9e621f8c271edea8dae7c16c79d8660ddd3af
                                                                        • Opcode Fuzzy Hash: 8137a9b05b05aada6fbcd6bbdda66db02b1ef4637fe403d2df7c72722ebbdea5
                                                                        • Instruction Fuzzy Hash: DC5102B3B1C1514BE72AAFA8E1187ED3B51FB90B48F448134DB5987A98DE3DE545CB00
                                                                        Function 00007FF641502AB0 Relevance: .1, Instructions: 112COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 525267a7f117e2089c634eae81b531c40420bccc1aa688f1dd99d62513960580
                                                                        • Instruction ID: d0df083728ddfda4361ceb957e069f3919bb56f41558ac9024672e28312f2e44
                                                                        • Opcode Fuzzy Hash: 525267a7f117e2089c634eae81b531c40420bccc1aa688f1dd99d62513960580
                                                                        • Instruction Fuzzy Hash: 4631D0A2A0C6814BD75DEE5AEA512BE6BD1F745388F048139DB5AC3B82DE7CE041CB00
                                                                        Function 00007FF6415258E0 Relevance: .0, Instructions: 32COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 20052d42666034676028b01d15d2cffdefdd266dec7e2dd0f98b8d8f07818195
                                                                        • Instruction ID: a6f2c15400f6eecb087d42d422bb387446494cea3f3ee7a623d01dd1b8ff7646
                                                                        • Opcode Fuzzy Hash: 20052d42666034676028b01d15d2cffdefdd266dec7e2dd0f98b8d8f07818195
                                                                        • Instruction Fuzzy Hash: DEF044B271C2558BDBA9EF29A4437697B90E708380F448039D599C3A14DA3C9470CF04
                                                                        Function 00007FF641513354 Relevance: .0, Instructions: 2COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
                                                                        • Instruction ID: 2b9688b6c0f5a4e3005ae07f1d79f44be4bea2c95534c8ddaa246498d7a16f46
                                                                        • Opcode Fuzzy Hash: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
                                                                        • Instruction Fuzzy Hash: 8FA001A694C842D0E78ABB50A9600F06A60BB60310B540031E06D811B49E3CA401C604
                                                                        Function 00007FF6414ED7D0 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 98COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                        • String ID: :$EFS:$LOGGED_UTILITY_STREAM$:$I30:$INDEX_ALLOCATION$:$TXF_DATA:$LOGGED_UTILITY_STREAM$::$ATTRIBUTE_LIST$::$BITMAP$::$DATA$::$EA$::$EA_INFORMATION$::$FILE_NAME$::$INDEX_ALLOCATION$::$INDEX_ROOT$::$LOGGED_UTILITY_STREAM$::$OBJECT_ID$::$REPARSE_POINT
                                                                        • API String ID: 3668304517-727060406
                                                                        • Opcode ID: 036f0b4177b3bd4acf8be137eac01bdc749329f6e627dd372102b0288b9b6631
                                                                        • Instruction ID: 1542709dcae2b50244bf6d16056f342733a829bb105092f1ae1b3455d6a16840
                                                                        • Opcode Fuzzy Hash: 036f0b4177b3bd4acf8be137eac01bdc749329f6e627dd372102b0288b9b6631
                                                                        • Instruction Fuzzy Hash: FE41E776B49F0199EB06EF64E8403E933A9EB08798F500136DA6C97B68EF38D155C744
                                                                        Function 00007FF641512A10 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                                                        • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                        • API String ID: 2565136772-3242537097
                                                                        • Opcode ID: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
                                                                        • Instruction ID: aace7b23e2bb146b5097f0a2a908571071ee8c7ac7d37488f33ba6d73ddcd4f7
                                                                        • Opcode Fuzzy Hash: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
                                                                        • Instruction Fuzzy Hash: B521E9E6E5DA0785FB5FBF91F8552F827A0AF58780F640035C96E826B0DE7CB4958600
                                                                        Function 00007FF6414F6A0C Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 444COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo_noreturn$Xinvalid_argumentstd::_
                                                                        • String ID: DXGIDebug.dll$UNC$\\?\
                                                                        • API String ID: 4097890229-4048004291
                                                                        • Opcode ID: caeda946b173b290eeb0eea351584ffd7bcd35d17f0c3fb79cdbd079912c01be
                                                                        • Instruction ID: 5cb0bd506f99bfc195da98c1130784c020c84f3fb297480ffbd564981d35c0b4
                                                                        • Opcode Fuzzy Hash: caeda946b173b290eeb0eea351584ffd7bcd35d17f0c3fb79cdbd079912c01be
                                                                        • Instruction Fuzzy Hash: E212BC62B0CB4284EB12FF65E4501AD6372EB85B98F504236DAAD87BE9DF3CD549C340
                                                                        Function 00007FF64150A440 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 257COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskDialog
                                                                        • String ID: GETPASSWORD1$Software\WinRAR SFX
                                                                        • API String ID: 431506467-1315819833
                                                                        • Opcode ID: 100daac0e34165666268f43f408bc6971489d972bf40231fa28c726ba550acfe
                                                                        • Instruction ID: 8aeeffd900f0a4fb6f18bf1463f4856f3a1894bfe739fb49fd891a609c716d66
                                                                        • Opcode Fuzzy Hash: 100daac0e34165666268f43f408bc6971489d972bf40231fa28c726ba550acfe
                                                                        • Instruction Fuzzy Hash: B1B1B2A2F1D74285FB06FBA4D4442FC27B2AB85798F504235DA2DA6AE9DF3CE145C304
                                                                        Function 00007FF641506E80 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 204memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo_noreturn$Global$AllocCreateStream
                                                                        • String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                                        • API String ID: 2868844859-1533471033
                                                                        • Opcode ID: 31d7dc5894d1c9fa85229d9e77b41a308ef747ae09a8312bf4b27f03762016a6
                                                                        • Instruction ID: ae01b260516d6d3e896c37a5332d44950051ea79826bcf9fd6fc4ce30f7a4954
                                                                        • Opcode Fuzzy Hash: 31d7dc5894d1c9fa85229d9e77b41a308ef747ae09a8312bf4b27f03762016a6
                                                                        • Instruction Fuzzy Hash: B581A1A2F1CA4685FB0AFBA5D4402ED2772AF45798F400135DE6D97AE9EF38D50AC300
                                                                        Function 00007FF64151E650 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo
                                                                        • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                                                                        • API String ID: 3215553584-2617248754
                                                                        • Opcode ID: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
                                                                        • Instruction ID: c9228e42f4ce4aad41e2cbee2900bcf2693618142b70e70c61c6f90339025377
                                                                        • Opcode Fuzzy Hash: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
                                                                        • Instruction Fuzzy Hash: 0541CDB6B09B4589EB0AEF24E8417E937A4EB18398F004536EE6C87B65DF3CD025C344
                                                                        Function 00007FF64150F390 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: Window$MessageObjectSend$ClassDeleteLongName
                                                                        • String ID: STATIC
                                                                        • API String ID: 2845197485-1882779555
                                                                        • Opcode ID: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
                                                                        • Instruction ID: b2f19310c9d3f6e3a6e52741932858d34682717a33932894d1e555d46694622b
                                                                        • Opcode Fuzzy Hash: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
                                                                        • Instruction Fuzzy Hash: 3031E4A1B0C64286FB6ABB52A5507FA6791FF8ABC4F014030DD6D87B66DF3CE4028740
                                                                        Function 00007FF64150AE90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: ItemTextWindow
                                                                        • String ID: LICENSEDLG
                                                                        • API String ID: 2478532303-2177901306
                                                                        • Opcode ID: 35fefc179f922e98870b8a3b257cf5e504c5ed53f195972dc606f5139ed8380b
                                                                        • Instruction ID: 4168aebfdaa59bbb4797baf1848a49482118ef356f1d1a898bdb69097a899cd9
                                                                        • Opcode Fuzzy Hash: 35fefc179f922e98870b8a3b257cf5e504c5ed53f195972dc606f5139ed8380b
                                                                        • Instruction Fuzzy Hash: EE419FA5B0CA5282FB1ABB51E9547F927A1EF85B84F044035D92EC3BB5CF3CE9468304
                                                                        Function 00007FF6414FB9B4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 84libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc$CurrentDirectoryProcessSystem
                                                                        • String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
                                                                        • API String ID: 2915667086-2207617598
                                                                        • Opcode ID: d2e93635ec338890dfe438c4789fcaf7e26687fbfe6c7ce53d5981307f2d6baa
                                                                        • Instruction ID: 8232d6ed4cdc65222c782c95daed0535124db0ddd687b22e4ed778b3ddbb0014
                                                                        • Opcode Fuzzy Hash: d2e93635ec338890dfe438c4789fcaf7e26687fbfe6c7ce53d5981307f2d6baa
                                                                        • Instruction Fuzzy Hash: 0A315AA5E0DB0280FB1BBB16B8542B527A1EF45B91F184135C96EC37B4EE3CE5598708
                                                                        Function 00007FF6415087D8 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 415COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                        • String ID: $
                                                                        • API String ID: 3668304517-227171996
                                                                        • Opcode ID: 7957b1f7c23d8b99e8b957fd2374c8a83d1170bc9397b993806739df2f8497c6
                                                                        • Instruction ID: afcbbd985caa3cd3a97cef07534ca1cfc3c1f983ad11bc5cfb06db734e622c11
                                                                        • Opcode Fuzzy Hash: 7957b1f7c23d8b99e8b957fd2374c8a83d1170bc9397b993806739df2f8497c6
                                                                        • Instruction Fuzzy Hash: 9FF1AFA2F18B4680EF0ABBA4D4445FC2B61AB55BA8F505631CA7D977E5DF7CE1808340
                                                                        Function 00007FF6415157EC Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 317COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
                                                                        • String ID: csm$csm$csm
                                                                        • API String ID: 2940173790-393685449
                                                                        • Opcode ID: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
                                                                        • Instruction ID: e4469e8672943972ea7c7fc3b26c384bf013bb8f906bc081106dbf088fc9c6b4
                                                                        • Opcode Fuzzy Hash: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
                                                                        • Instruction Fuzzy Hash: 1EE180B3E1C6828AE716BF25D4803ED7BA0FB46758F144235DAAD876A5CF38E585C700
                                                                        Function 00007FF6414F4F38 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 158COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: AllocClearStringVariant
                                                                        • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                                                                        • API String ID: 1959693985-3505469590
                                                                        • Opcode ID: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
                                                                        • Instruction ID: 46db897126f2353d69f69e80a08990677487bf4c4ca32dd6b499146db19f2c13
                                                                        • Opcode Fuzzy Hash: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
                                                                        • Instruction Fuzzy Hash: 50712C76B18A0585EB15EF65E8805ED77B1FB88B98B045132EA5D87B78DF3CE144C700
                                                                        Function 00007FF6415172EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryExW.KERNEL32(?,?,00000000,00007FF6415174F3,?,?,?,00007FF64151525E,?,?,?,00007FF641515219), ref: 00007FF641517371
                                                                        • GetLastError.KERNEL32(?,?,00000000,00007FF6415174F3,?,?,?,00007FF64151525E,?,?,?,00007FF641515219), ref: 00007FF64151737F
                                                                        • LoadLibraryExW.KERNEL32(?,?,00000000,00007FF6415174F3,?,?,?,00007FF64151525E,?,?,?,00007FF641515219), ref: 00007FF6415173A9
                                                                        • FreeLibrary.KERNEL32(?,?,00000000,00007FF6415174F3,?,?,?,00007FF64151525E,?,?,?,00007FF641515219), ref: 00007FF6415173EF
                                                                        • GetProcAddress.KERNEL32(?,?,00000000,00007FF6415174F3,?,?,?,00007FF64151525E,?,?,?,00007FF641515219), ref: 00007FF6415173FB
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                                        • String ID: api-ms-
                                                                        • API String ID: 2559590344-2084034818
                                                                        • Opcode ID: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
                                                                        • Instruction ID: bade049840878e0be31bb5f20946a12758554341c80cc9dbe0ddeaa7509509c4
                                                                        • Opcode Fuzzy Hash: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
                                                                        • Instruction Fuzzy Hash: 4831AFA2E1E64281EF1BBF4AA8005F52A94FF08BA4F594935DD3D8B7A0DF3CE0408710
                                                                        Function 00007FF641511604 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43libraryloaderCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(?,?,?,00007FF641511573,?,?,?,00007FF64151192A), ref: 00007FF64151162B
                                                                        • GetProcAddress.KERNEL32(?,?,?,00007FF641511573,?,?,?,00007FF64151192A), ref: 00007FF641511648
                                                                        • GetProcAddress.KERNEL32(?,?,?,00007FF641511573,?,?,?,00007FF64151192A), ref: 00007FF641511664
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc$HandleModule
                                                                        • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                                        • API String ID: 667068680-1718035505
                                                                        • Opcode ID: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
                                                                        • Instruction ID: 9221512cc7ac2cca3917760c7833d3bc38f3ad212767fed065fe68d59141aac2
                                                                        • Opcode Fuzzy Hash: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
                                                                        • Instruction Fuzzy Hash: 7C113CA1E5DB0695FF5FBF60A9802F416916F08790F5C4875C83E8ABB5EF3DB4548A00
                                                                        Function 00007FF6414FED24 Relevance: 9.1, APIs: 6, Instructions: 120timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00007FF6414F51A4: GetVersionExW.KERNEL32 ref: 00007FF6414F51D5
                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6414E5AB4), ref: 00007FF6414FED8C
                                                                        • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6414E5AB4), ref: 00007FF6414FED98
                                                                        • SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6414E5AB4), ref: 00007FF6414FEDA8
                                                                        • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6414E5AB4), ref: 00007FF6414FEDB6
                                                                        • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6414E5AB4), ref: 00007FF6414FEDC4
                                                                        • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6414E5AB4), ref: 00007FF6414FEE05
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: Time$File$System$Local$SpecificVersion
                                                                        • String ID:
                                                                        • API String ID: 2092733347-0
                                                                        • Opcode ID: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
                                                                        • Instruction ID: 2fa252cdb54dc5d773e4e48fdb0c8af414d00a3e62552594d6262f07ef008095
                                                                        • Opcode Fuzzy Hash: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
                                                                        • Instruction Fuzzy Hash: 70517DB2B146518AEB15EFA8E4401EC37B1F748798B60403ADE1DA7B58DF38E556CB00
                                                                        Function 00007FF6414FF010 Relevance: 9.1, APIs: 6, Instructions: 80timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: Time$File$System$Local$SpecificVersion
                                                                        • String ID:
                                                                        • API String ID: 2092733347-0
                                                                        • Opcode ID: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
                                                                        • Instruction ID: 62eba63179ba825676bf6e60d22f78f33127ca25a2333be29329dd7c8c9fcfdd
                                                                        • Opcode Fuzzy Hash: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
                                                                        • Instruction Fuzzy Hash: 6E314C63B14A518EFB05EFB5D8801EC3771FB08758B54502ADE1DA7A68EF38D895C710
                                                                        Function 00007FF6414F7918 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 233COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                        • String ID: .rar$exe$rar$sfx
                                                                        • API String ID: 3668304517-630704357
                                                                        • Opcode ID: 2fc35cbdd70ebaba8229e08f8487c40f3259a53efddd90ef8447a9b59f22dcea
                                                                        • Instruction ID: b486a6c2a8449955fe90078de8755db759e5bf3bee4b2706f581852d0e8dbcc2
                                                                        • Opcode Fuzzy Hash: 2fc35cbdd70ebaba8229e08f8487c40f3259a53efddd90ef8447a9b59f22dcea
                                                                        • Instruction Fuzzy Hash: F4A1AC62A0CA4680EB06BF65D8452FC2362AF55BA8F501235DE3D877EADF3CE585C340
                                                                        Function 00007FF641515CE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: abort$CallEncodePointerTranslator
                                                                        • String ID: MOC$RCC
                                                                        • API String ID: 2889003569-2084237596
                                                                        • Opcode ID: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
                                                                        • Instruction ID: f76a095716a774cc2b0bd64ea07f4f801b32ab5546270ea62649ccaa6dc93657
                                                                        • Opcode Fuzzy Hash: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
                                                                        • Instruction Fuzzy Hash: F891AEB3E18B818AE716EF65E4802ED7BA0F705788F104129EE5D97B65DF38D195CB00
                                                                        Function 00007FF641514F80 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                        • String ID: csm$f
                                                                        • API String ID: 2395640692-629598281
                                                                        • Opcode ID: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
                                                                        • Instruction ID: 563257e62f054af61c28330c14ffb874179cd6e3e9021c6c5a69a4d4ba067918
                                                                        • Opcode Fuzzy Hash: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
                                                                        • Instruction Fuzzy Hash: 1E519072E2D60286DB1BFF25E444AA93B95FB45B88F508034DA6E87758DF78E841C740
                                                                        Function 00007FF6414ECEE0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 139COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast_invalid_parameter_noinfo_noreturn$CloseCurrentHandleProcess
                                                                        • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                                        • API String ID: 2102711378-639343689
                                                                        • Opcode ID: 6c1d5a5d5395298d9d74f6f4ee4569930d238c95dd33962f37e3fdaa32d53d1a
                                                                        • Instruction ID: e130fcc147e5b95c267f262283da67f6bc0069e2e821d0babce0bcef84554f83
                                                                        • Opcode Fuzzy Hash: 6c1d5a5d5395298d9d74f6f4ee4569930d238c95dd33962f37e3fdaa32d53d1a
                                                                        • Instruction Fuzzy Hash: F951BCA2F1C74285FB16FB65D8412FD27A1AF857A8F140131DE2D97AA6DF3CA985C300
                                                                        Function 00007FF641507B28 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Show$Rect
                                                                        • String ID: RarHtmlClassName
                                                                        • API String ID: 2396740005-1658105358
                                                                        • Opcode ID: 95333b9ad2bfddc98b100d65ee3ae7a1141886215ecc40d0d40dcbf9cb340d19
                                                                        • Instruction ID: 1717c6072af34815376ee38685867f35ca54ef3d0c93680137a27960621f4914
                                                                        • Opcode Fuzzy Hash: 95333b9ad2bfddc98b100d65ee3ae7a1141886215ecc40d0d40dcbf9cb340d19
                                                                        • Instruction Fuzzy Hash: 3E519662A0CB818AEB2AFF65E5453BA6760FF85784F044435DE9E83B65DF3CE4458700
                                                                        Function 00007FF64150FD0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: EnvironmentVariable$_invalid_parameter_noinfo_noreturn
                                                                        • String ID: sfxcmd$sfxpar
                                                                        • API String ID: 3540648995-3493335439
                                                                        • Opcode ID: 65c4bc3e57016a74e8805048ea790c6f4a694eba210e4a6448e418b17608a108
                                                                        • Instruction ID: 747fbfb8359b466a4e5a46d89ac5d9cd1d048a165bfbbd563fce7fab1364fa14
                                                                        • Opcode Fuzzy Hash: 65c4bc3e57016a74e8805048ea790c6f4a694eba210e4a6448e418b17608a108
                                                                        • Instruction Fuzzy Hash: 7431A1B2A18A0684EB09BBA5E4841EC3771FB49B8CF144132DE2D97BB9DF38D041C344
                                                                        Function 00007FF64150FED4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: RENAMEDLG$REPLACEFILEDLG
                                                                        • API String ID: 0-56093855
                                                                        • Opcode ID: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
                                                                        • Instruction ID: 3df2cb05fb3c0db431f3276c812e1951d4cd2416cf22c0660ee26562c301f8b8
                                                                        • Opcode Fuzzy Hash: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
                                                                        • Instruction Fuzzy Hash: B02127A6A0CA4781FB1BBB55B8442F427A0EB4AB88F144436D9ADC7234CE3CE1A48340
                                                                        Function 00007FF64151BFB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                        • API String ID: 4061214504-1276376045
                                                                        • Opcode ID: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
                                                                        • Instruction ID: c7c0f6dae0eb6005dcd4e7652d78ee3b50e11570d85439efe53f31e42e785fe5
                                                                        • Opcode Fuzzy Hash: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
                                                                        • Instruction Fuzzy Hash: 9CF04FA6A1DA4281EF5EBB91E4802F967A0AF88794F441035D96F86675DE3DE4848B00
                                                                        Function 00007FF6415245C0 Relevance: 7.7, APIs: 5, Instructions: 203COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo
                                                                        • String ID:
                                                                        • API String ID: 3215553584-0
                                                                        • Opcode ID: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
                                                                        • Instruction ID: 25b1014331334c181221f291adc6bac42ad148f32ac4fa84a6768fad08f6365c
                                                                        • Opcode Fuzzy Hash: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
                                                                        • Instruction Fuzzy Hash: 9381D3A3F2C65289F72ABF65D8406FD26A0BB45B84F044135DE2E936B5CF3CA442CB10
                                                                        Function 00007FF6414F3AF8 Relevance: 7.7, APIs: 5, Instructions: 164filetimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: File$Create$CloseHandleTime_invalid_parameter_noinfo_noreturn
                                                                        • String ID:
                                                                        • API String ID: 2398171386-0
                                                                        • Opcode ID: 14fdea18fdcf977c61dce6ecaccc8aa35300d093acc7d7c713630260d7cb0aba
                                                                        • Instruction ID: b9c1ee939199c0177cedddb3ec2ae45e8f9d7a55eb5b6fa3bcc3124d9cecb2bf
                                                                        • Opcode Fuzzy Hash: 14fdea18fdcf977c61dce6ecaccc8aa35300d093acc7d7c713630260d7cb0aba
                                                                        • Instruction Fuzzy Hash: 9451BF62F0CA4259FB56FFA5E9503BD23B2AB487A8F004635DE2D867D9DE3C9545C300
                                                                        Function 00007FF641523F34 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                                                                        • String ID:
                                                                        • API String ID: 3659116390-0
                                                                        • Opcode ID: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
                                                                        • Instruction ID: 3226450bf61bd783d6d154afb5257a9f7225e4efa53fca0bd58ca1203016a91d
                                                                        • Opcode Fuzzy Hash: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
                                                                        • Instruction Fuzzy Hash: 9A51B0B3B18A5189E71AEB65D4443EC3BB1BB44798F148135CE6E97AA8DF38D145CB00
                                                                        Function 00007FF641511E00 Relevance: 7.6, APIs: 5, Instructions: 137memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide$AllocString
                                                                        • String ID:
                                                                        • API String ID: 262959230-0
                                                                        • Opcode ID: 55eea0222137253c860f73f771396d48486a61dcff80d6f5aaddb46a2ec13fc8
                                                                        • Instruction ID: 14607eb6f5c3ee7245bd0a957c3d409f570a235fc26dc4ef2ec03a7f98650784
                                                                        • Opcode Fuzzy Hash: 55eea0222137253c860f73f771396d48486a61dcff80d6f5aaddb46a2ec13fc8
                                                                        • Instruction Fuzzy Hash: 214190A1E0D64689EB1BBF7194802F92A91EF44BA4F544634EA7DC77E6DF3CE1418310
                                                                        Function 00007FF64151F414 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc
                                                                        • String ID:
                                                                        • API String ID: 190572456-0
                                                                        • Opcode ID: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
                                                                        • Instruction ID: 7092f6ba27d5bde3d8f5a6da135b46e01bb5c107461f9bc9a22827e8938c4979
                                                                        • Opcode Fuzzy Hash: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
                                                                        • Instruction Fuzzy Hash: D841B2A2F0DA4281FB1BBF56A8005F56695BF54B90F0A4536DD3DCBBA4EE3CE4448300
                                                                        Function 00007FF6415256D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: _set_statfp
                                                                        • String ID:
                                                                        • API String ID: 1156100317-0
                                                                        • Opcode ID: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
                                                                        • Instruction ID: 157b862b4993deba77f29f92e017ed5d9559855940250dcf394eda58dd557431
                                                                        • Opcode Fuzzy Hash: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
                                                                        • Instruction Fuzzy Hash: 49116DB7EBCA0785F75E3324E5423F911416F553E0F4C8274EA7E8A6F69E2CA4444A05
                                                                        Function 00007FF64150FE24 Relevance: 7.5, APIs: 5, Instructions: 29windowsynchronizationCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: Message$DispatchObjectPeekSingleTranslateWait
                                                                        • String ID:
                                                                        • API String ID: 3621893840-0
                                                                        • Opcode ID: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
                                                                        • Instruction ID: a6c7348a5900618246299307806565cbb3f10527a0e776ed089c97a382967599
                                                                        • Opcode Fuzzy Hash: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
                                                                        • Instruction Fuzzy Hash: A1F04F62B2C54683F755B760E554BFA2261FFA4B05F445030E95E818A49E3CD559CB00
                                                                        Function 00007FF64151625C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: __except_validate_context_recordabort
                                                                        • String ID: csm$csm
                                                                        • API String ID: 746414643-3733052814
                                                                        • Opcode ID: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
                                                                        • Instruction ID: 2bfdbcb3cea4ccefa0e4361060e9eff72fc8056e8faebb8eb62e10aa0dbc1e8f
                                                                        • Opcode Fuzzy Hash: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
                                                                        • Instruction Fuzzy Hash: 2C71B0A2A0C69186D76BBF25D0907BD7FA1EB01B88F048135DE6C87AA5CF7CD891C740
                                                                        Function 00007FF6415180F4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo
                                                                        • String ID: $*
                                                                        • API String ID: 3215553584-3982473090
                                                                        • Opcode ID: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
                                                                        • Instruction ID: c13817e582409ae1874f4a778ad573a4bcd1bb60477d94fe9dae0a7790d6fb51
                                                                        • Opcode Fuzzy Hash: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
                                                                        • Instruction Fuzzy Hash: 835134B2D8CA428AE77FBE2884443FC3FA1FB16B18F141135D67A852A9CF6CD481C605
                                                                        Function 00007FF641521758 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide$StringType
                                                                        • String ID: $%s
                                                                        • API String ID: 3586891840-3791308623
                                                                        • Opcode ID: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
                                                                        • Instruction ID: 901f06ee4b0b5bc3963f9168ece4fc7665e4da1be6b5e0346778ed5a36dc652d
                                                                        • Opcode Fuzzy Hash: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
                                                                        • Instruction Fuzzy Hash: C0419963B18B8149EB6ABF65D4802E96391FB44BA8F480235DE2D877E5DF7CE5418700
                                                                        Function 00007FF6415166A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: CreateFrameInfo__except_validate_context_recordabort
                                                                        • String ID: csm
                                                                        • API String ID: 2466640111-1018135373
                                                                        • Opcode ID: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
                                                                        • Instruction ID: 05e6c6e7115d79a62761ec9b2fda64fc5177c92dc7054affa03b359d022a59ae
                                                                        • Opcode Fuzzy Hash: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
                                                                        • Instruction Fuzzy Hash: 25512CB7A2D74186D726BF15E0402AE7BA4FB89B90F140534EAAD87B65DF3CD451CB00
                                                                        Function 00007FF641524360 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharErrorFileLastMultiWideWrite
                                                                        • String ID: U
                                                                        • API String ID: 2456169464-4171548499
                                                                        • Opcode ID: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
                                                                        • Instruction ID: 85b856272f9dd02403a5c536ad153695ef859f200a28887ed6343e0bce78a365
                                                                        • Opcode Fuzzy Hash: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
                                                                        • Instruction Fuzzy Hash: E241BF63A1CA8182EB25AF65E8443FAA7A0FB98794F444131EE5DC77A8DF7CD441CB40
                                                                        Function 00007FF6415090B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: ObjectRelease
                                                                        • String ID:
                                                                        • API String ID: 1429681911-3916222277
                                                                        • Opcode ID: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
                                                                        • Instruction ID: 642a7108b1ad7114a3fbf56415dfb2d5a1977bc8b1451d959e7411b922c249c7
                                                                        • Opcode Fuzzy Hash: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
                                                                        • Instruction Fuzzy Hash: BC31297570874286EB19AF12B91876AB7A0F789FD1F404435ED6E93B64CE3CE4598B00
                                                                        Function 00007FF6414FE870 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InitializeCriticalSection.KERNEL32(?,?,?,00007FF64150317F,?,?,00001000,00007FF6414EE51D), ref: 00007FF6414FE8BB
                                                                        • CreateSemaphoreW.KERNEL32(?,?,?,00007FF64150317F,?,?,00001000,00007FF6414EE51D), ref: 00007FF6414FE8CB
                                                                        • CreateEventW.KERNEL32(?,?,?,00007FF64150317F,?,?,00001000,00007FF6414EE51D), ref: 00007FF6414FE8E4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                        • String ID: Thread pool initialization failed.
                                                                        • API String ID: 3340455307-2182114853
                                                                        • Opcode ID: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
                                                                        • Instruction ID: 2c181cf555e1afa28b14043daf8722cd4fd33f1a6a3cc2c3232c27c4e6a5f5fd
                                                                        • Opcode Fuzzy Hash: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
                                                                        • Instruction Fuzzy Hash: CD21D272F1D60186F716BF24E4447ED32E2EB98B09F288034CA1D8B2A5CF7E9555CB84
                                                                        Function 00007FF6415085E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: CapsDeviceRelease
                                                                        • String ID:
                                                                        • API String ID: 127614599-3916222277
                                                                        • Opcode ID: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
                                                                        • Instruction ID: b2da34da8f8f0dc354c26ce443b2bbec36a8bca734d391a8af3fc2f5e2d6356a
                                                                        • Opcode Fuzzy Hash: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
                                                                        • Instruction Fuzzy Hash: E4E0C260B0C64186FB1D77BAB68923E6261EB4CBD0F158035DA2F837A4CE3CC4E48300
                                                                        Function 00007FF6414ED1A8 Relevance: 6.2, APIs: 4, Instructions: 238timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo_noreturn$FileTime
                                                                        • String ID:
                                                                        • API String ID: 1137671866-0
                                                                        • Opcode ID: 6a66750d7d38e285348c6a4672a5517d432b12a502a6a2b91e6f62eece89d76d
                                                                        • Instruction ID: 1a4c77222f589bf1c1d9053ca489294f5b1a6256f974da0c06571d564bb997d5
                                                                        • Opcode Fuzzy Hash: 6a66750d7d38e285348c6a4672a5517d432b12a502a6a2b91e6f62eece89d76d
                                                                        • Instruction Fuzzy Hash: DCA1A062A1CB8281EB12FB65E8401EE6362FF95794F405531EA9D87AE9DF3CE644C700
                                                                        Function 00007FF641500548 Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast
                                                                        • String ID:
                                                                        • API String ID: 1452528299-0
                                                                        • Opcode ID: 47ce399c8b5a93a9ee7e183f504d796df39c479f65169f8ae0637efe197c3b7b
                                                                        • Instruction ID: 18f70fd3bb134e3b50ec876ab3e8546fabf6e2f9192e363b1d1ecfb06c9be6d4
                                                                        • Opcode Fuzzy Hash: 47ce399c8b5a93a9ee7e183f504d796df39c479f65169f8ae0637efe197c3b7b
                                                                        • Instruction Fuzzy Hash: 335191A2F58B4685EB06BFA4D4452EC2322EB85BDCF504132DA6C97BE6DF2CD245C344
                                                                        Function 00007FF641509D90 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: CreateCurrentDirectoryErrorFreeLastLocalProcess
                                                                        • String ID:
                                                                        • API String ID: 1077098981-0
                                                                        • Opcode ID: 91dec681af915968dd102d853b3eeeabd4842e789cbe2ad92d88e952f467e522
                                                                        • Instruction ID: a4757ed0ce7cdaed6a82a9c0b3b5031ffdc8e921f87170b1dea17572a69c561c
                                                                        • Opcode Fuzzy Hash: 91dec681af915968dd102d853b3eeeabd4842e789cbe2ad92d88e952f467e522
                                                                        • Instruction Fuzzy Hash: 3B519172A1CB4286E716AF61E4443EE77B4FB85B84F500039EA6D97A68DF3CD414CB00
                                                                        Function 00007FF64151DB5C Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
                                                                        • String ID:
                                                                        • API String ID: 4141327611-0
                                                                        • Opcode ID: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
                                                                        • Instruction ID: be49bb02e139bed4dda6af17961930e304458fc04dc203aff9456a044097e55b
                                                                        • Opcode Fuzzy Hash: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
                                                                        • Instruction Fuzzy Hash: F24174B2E0C64246FB6FBF15D1483F97A90EF90B94F148931DA6D86AE5DF6CD8418B00
                                                                        Function 00007FF6414F3980 Relevance: 6.1, APIs: 4, Instructions: 101fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: FileMove_invalid_parameter_noinfo_noreturn
                                                                        • String ID:
                                                                        • API String ID: 3823481717-0
                                                                        • Opcode ID: 47dbf0decc8272d9a7ae459b130201949f9107b8ec80fb87a20ec63cf3da1f82
                                                                        • Instruction ID: 760f367a17e10b9ee5e15721b24a6f1cecae3b5464043e705dd95fbf22d100fa
                                                                        • Opcode Fuzzy Hash: 47dbf0decc8272d9a7ae459b130201949f9107b8ec80fb87a20ec63cf3da1f82
                                                                        • Instruction Fuzzy Hash: 01418162F18B5184FB01FFB6E8451AC2372BB44B94B105235DE6D97BA9DF78D445C300
                                                                        Function 00007FF641520B78 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF64151C45B), ref: 00007FF641520B91
                                                                        • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF64151C45B), ref: 00007FF641520BF3
                                                                        • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF64151C45B), ref: 00007FF641520C2D
                                                                        • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF64151C45B), ref: 00007FF641520C57
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharEnvironmentMultiStringsWide$Free
                                                                        • String ID:
                                                                        • API String ID: 1557788787-0
                                                                        • Opcode ID: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
                                                                        • Instruction ID: 9b26555f60614e9f84beb0618d3351e6455f1bbfd1b4a20ddba0bbd78ca9cbde
                                                                        • Opcode Fuzzy Hash: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
                                                                        • Instruction Fuzzy Hash: E22189B2F1DB9181D769BF11A4400A9B6A5FB54BD0B484134DEADA3BB4DF3CD4528704
                                                                        Function 00007FF64151D440 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast$abort
                                                                        • String ID:
                                                                        • API String ID: 1447195878-0
                                                                        • Opcode ID: df247b5a3948333368795c339682862bf84e23f7c025c70b8dad3e7beb060077
                                                                        • Instruction ID: 973817a02bc7d45f70654f2fd83e7c075c966d859575508488558290f162c617
                                                                        • Opcode Fuzzy Hash: df247b5a3948333368795c339682862bf84e23f7c025c70b8dad3e7beb060077
                                                                        • Instruction Fuzzy Hash: D9018CA1F4C74642FB5F7B71A6591F829A25F44790F040838D93EC2BF6EDACB8058200
                                                                        Function 00007FF641508590 Relevance: 6.0, APIs: 4, Instructions: 21COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: CapsDevice$Release
                                                                        • String ID:
                                                                        • API String ID: 1035833867-0
                                                                        • Opcode ID: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
                                                                        • Instruction ID: 14eead1f68909b1adb7d2449c12c70491e46277f7b75ec0c1d96521005190680
                                                                        • Opcode Fuzzy Hash: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
                                                                        • Instruction Fuzzy Hash: ABE0EDA0F0D70282FF1E7B75A9592762190EF48741F084439C83F86370DD3CA0A5C614
                                                                        Function 00007FF6414EE34C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 176COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                        • String ID: DXGIDebug.dll
                                                                        • API String ID: 3668304517-540382549
                                                                        • Opcode ID: af41f5b367367adcbbc9fbea96428c46d5ee0daf519fd66926152a8cf2950bdf
                                                                        • Instruction ID: 06ec227911b309e83cfacb6604d97b936f1b13b3a3f2299fa1caeaabf663b90e
                                                                        • Opcode Fuzzy Hash: af41f5b367367adcbbc9fbea96428c46d5ee0daf519fd66926152a8cf2950bdf
                                                                        • Instruction Fuzzy Hash: CD71CD72A08B8182EB15EF25E8403ADB3A9FB54B94F104236DBAD47BA5DF38D151C300
                                                                        Function 00007FF64151E1F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo
                                                                        • String ID: e+000$gfff
                                                                        • API String ID: 3215553584-3030954782
                                                                        • Opcode ID: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
                                                                        • Instruction ID: 488fa0fab37b0b9bc9d5bb8d96f6dae5ff099c4eda78270f63633758d168b44c
                                                                        • Opcode Fuzzy Hash: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
                                                                        • Instruction Fuzzy Hash: AA51C8A2F1C7C146E76BAF3599517E96E91E781B90F089231D6BC87BE5CF2CE4448700
                                                                        Function 00007FF6414F9408 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo_noreturn$swprintf
                                                                        • String ID: SIZE
                                                                        • API String ID: 449872665-3243624926
                                                                        • Opcode ID: 1ee6a6b9fbbd6c3126f8bc5ffec1b6aa008f2877db1f13591811bbd6ed408201
                                                                        • Instruction ID: 139cf88e2526ec9ed09844373830357f437e2307c780167a54a0eccb056db033
                                                                        • Opcode Fuzzy Hash: 1ee6a6b9fbbd6c3126f8bc5ffec1b6aa008f2877db1f13591811bbd6ed408201
                                                                        • Instruction Fuzzy Hash: 7941D0A2A1C68681EB16FF58E4453FD7312AF85798F505231FAAD867E6EE3CD140C704
                                                                        Function 00007FF64151C2C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: FileModuleName_invalid_parameter_noinfo
                                                                        • String ID: C:\Users\user\Desktop\0442.pdf.exe
                                                                        • API String ID: 3307058713-1489544898
                                                                        • Opcode ID: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
                                                                        • Instruction ID: b08ad3ad4774ff7ea3eabe7cb50109321b43c88cccd86d88dfcf96bd03f579b1
                                                                        • Opcode Fuzzy Hash: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
                                                                        • Instruction Fuzzy Hash: 19419EB2E0CA528AEB1FFF25A4411FC7BA4EB44B84B444035E96E87B65DE3DE441C300
                                                                        Function 00007FF641509B40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: ItemText$DialogWindow
                                                                        • String ID: ASKNEXTVOL
                                                                        • API String ID: 445417207-3402441367
                                                                        • Opcode ID: 97ebd98f0834f70bd8f3ada112357d921bc9d5e9383391aa045354938bfaeae3
                                                                        • Instruction ID: fc03ad7faf6ff7b0bfb8da41744b916b99e27308cbbb5b0134f36297eff45602
                                                                        • Opcode Fuzzy Hash: 97ebd98f0834f70bd8f3ada112357d921bc9d5e9383391aa045354938bfaeae3
                                                                        • Instruction Fuzzy Hash: 5841CFA2E1CA8281FB1ABB52E5543FA27A1BF86BC4F140035DE5D877A9CE3CE5518340
                                                                        Function 00007FF6414F9638 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide_snwprintf
                                                                        • String ID: $%s$@%s
                                                                        • API String ID: 2650857296-834177443
                                                                        • Opcode ID: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
                                                                        • Instruction ID: 86ea93e8faafbf0ca10efed3dd0c45b5802f5d027fad04ad3af0ce6e2fc20af7
                                                                        • Opcode Fuzzy Hash: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
                                                                        • Instruction Fuzzy Hash: 7E31E2B2B1CA4695EB16BFA6E4403E923A1FB44788F500036EE2C877A5EF3CE505C700
                                                                        Function 00007FF64151EB04 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: FileHandleType
                                                                        • String ID: @
                                                                        • API String ID: 3000768030-2766056989
                                                                        • Opcode ID: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
                                                                        • Instruction ID: 7fc5d8e41c605d5c8b8f0155666a7ba7171a628ed02c58adf85bd838180d1ba2
                                                                        • Opcode Fuzzy Hash: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
                                                                        • Instruction Fuzzy Hash: CA214FA2F0CA8241EB6BBF2594901B92A91FB45774F281335D67F867E4CE3DD881C351
                                                                        Function 00007FF641514078 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF641511D3E), ref: 00007FF6415140BC
                                                                        • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF641511D3E), ref: 00007FF641514102
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: ExceptionFileHeaderRaise
                                                                        • String ID: csm
                                                                        • API String ID: 2573137834-1018135373
                                                                        • Opcode ID: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
                                                                        • Instruction ID: a5a22dc542a279f36466792b1a53fba2ddf0576ef9f47b423802cab70d3e5cd6
                                                                        • Opcode Fuzzy Hash: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
                                                                        • Instruction Fuzzy Hash: EB114F76A0CB4182EB26AF15E4402A97BE1FB88B94F184231DF9D47768DF3CD555CB00
                                                                        Function 00007FF6414FEA5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF6414FE95F,?,?,?,00007FF6414F463A,?,?,?), ref: 00007FF6414FEA63
                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF6414FE95F,?,?,?,00007FF6414F463A,?,?,?), ref: 00007FF6414FEA6E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLastObjectSingleWait
                                                                        • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                        • API String ID: 1211598281-2248577382
                                                                        • Opcode ID: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
                                                                        • Instruction ID: 279f7fffa54bcdb9ed3d66183eade6b19a876aaef5732a09bad9de12d68bcbc5
                                                                        • Opcode Fuzzy Hash: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
                                                                        • Instruction Fuzzy Hash: 69E04FA6E1D90291F706B770AC825F822517F60770FA00330D03EC25F59F2CAA498B05
                                                                        Function 00007FF6414FA43C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1725243679.00007FF6414E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6414E0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1725191687.00007FF6414E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725282445.00007FF641528000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF64153B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725307381.00007FF641544000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1725423591.00007FF64154E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff6414e0000_0442.jbxd
                                                                        Similarity
                                                                        • API ID: FindHandleModuleResource
                                                                        • String ID: RTL
                                                                        • API String ID: 3537982541-834975271
                                                                        • Opcode ID: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
                                                                        • Instruction ID: dc55afda68d17d62922904e4c00c03934f2d46f31dc31889c44d295722ad2c32
                                                                        • Opcode Fuzzy Hash: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
                                                                        • Instruction Fuzzy Hash: C4D05ED2F0D60682FF1EBBB1A4497F422905F18B41F584038CC6E863E4EE2CE088CB50